Dedecms V5.7后台的两处getshell(CVE-2018-9175) CVE-2018-9175 CNNVD-201804-086

7.5 AV AC AU C I A
发布: 2018-04-02
修订: 2018-05-02

第一个是常见的思路,把语句写入inc文件,然后在其他的include语句中,包含了恶意代码进而getshell。 漏洞代码在:`/dede/sys_verifies.php` 代码如下: ``` else if ($action == 'getfiles') { if(!isset($refiles)) { ShowMsg("你没进行任何操作!","sys_verifies.php"); exit(); } $cacheFiles = DEDEDATA.'/modifytmp.inc'; $fp = fopen($cacheFiles, 'w'); fwrite($fp, '<'.'?php'."\r\n"); fwrite($fp, '$tmpdir = "'.$tmpdir.'";'."\r\n"); $dirs = array(); $i = -1; $adminDir = preg_replace("#(.*)[\/\\\\]#", "", dirname(__FILE__)); foreach($refiles as $filename) { $filename = substr($filename,3,strlen($filename)-3); if(preg_match("#^dede/#i", $filename)) { $curdir = GetDirName( preg_replace("#^dede/#i", $adminDir.'/', $filename) ); } else { $curdir = GetDirName($filename); } if( !isset($dirs[$curdir]) ) { $dirs[$curdir] = TestIsFileDir($curdir); } $i++; fwrite($fp, '$files['.$i.'] = "'.$filename.'";'."\r\n"); } fwrite($fp, '$fileConut = '.$i.';'."\r\n"); fwrite($fp, '?'.'>'); fclose($fp); $dirinfos = ''; if($i > -1) { $dirinfos = '<tr bgcolor="#ffffff"><td...

0%
暂无可用Exp或PoC
当前有1条受影响产品信息