DEDECMS exploit 0day a gold-bug warning-the black bar safety net

2011-01-26T00:00:00
ID MYHACK58:62201128950
Type myhack58
Reporter 佚名
Modified 2011-01-26T00:00:00

Description

Published author: the mind

Affected versions: dedecms Official website: http://www.dedecms.com

Vulnerability type: design error Vulnerability description:

Vulnerability code:

member\index_do.php

else if($fmdo=='login') // http://127.0.0.1/member/index_do.php?fmdo=login&dopost=login came to this step { //user login if($dopost=="login") { if(! isset($vdcode)) { $vdcode = "; } $svali = GetCkVdValue(); if(preg_match("/2/",$safe_gdopen)){ if(via strtolower($vdcode)!=$ svali || $svali==") { ResetVdValue(); ShowMsg('CAPTCHA error!', '-1'); exit(); } } if(CheckUserID($userid,",false)!=' ok') { ShowMsg("you enter the user name {$userid} not legal!"and," -1"); exit(); } if($pwd==") { ShowMsg("password cannot be empty!"," -1",0,2 0 0 0); exit(); } //check account $rs = $cfg_ml->CheckUser($userid,$pwd); //testing the user name and password here does not occur an error because also want to run the following code #api{{ if(defined('UC_API') && @the include_once DEDEROOT.'/ uc_client/client.php') { //the harsh conditions one has to integrate DZ and installed UCCLIENT this plugin//check the account list($uid, $username, $password, $email) = uc_user_login($userid, $pwd);//login DEDECMS also login DZif($uid > 0) {$password = md5($password);//when UC the presence of the user,and the CMS does not exist,it is a registered one if(!$ rs) { //if the DEDECMS login is unsuccessful//member of the default coins$row = $dsql->GetOne("SELECT money,scores FROM dede_arcrank WHERE rank='1 0' ");$scores = is_array($row) ? $row['scores'] : 0;$money = is_array($row) ? $row['money'] : 0;$logintime = $jointime = time();$loginip = $joinip = GetIP();$res = $dsql->ExecuteNoneQuery("INSERT INTO dede_member SET mtype='personal',userid='$username',pwd='$password',uname='$username',sex='Male' ,rank='1 0',money='$money', email='$email', scores='$scores', matt='0', face=",safequestion='0',safeanswer=", jointime='$jointime',joinip='$joinip',logintime='$logintime',loginip='$loginip';"); //vulnerability is thus formed when the DZ user's full on, then it will establish to DEDECMS. The test only password replace!

To put it simply login DEDECMS verification is If DEDE account login successfully it while logged in DZ if DZ login unsuccessful in DZ to build one the same as the account password On the contrary the login DEDECMS unsuccessful in the DZ extract account a successful login on the account password written DEDECMS

The use of prerequisites The first integration DZ The second administrator account cannot be an ADMIN because the DZ administrator by default is ADMIN Third DEDE over there administrator not from the front Desk to log on.. And know the administrator account

So in the DZ in the register a and DEDE as the administrator account and then from the DEDE there login it covers the DEDE of the administrator password And then modify the basic information to change the password once it covers the background password then you can login to the backend directly to get WEBSHELL

Overall condition is harsh! But it is also possible to take down the WEBSHELL one of the methods